Every Claimory security control, end to end: TLS 1.2 or higher in transit, AES-256 at rest, workspace-isolated Postgres row-level security on every table, audit logging on sensitive actions, encrypted secrets management, and daily backups via our infrastructure provider. Failed logins are logged for manual admin review, super-admins can manually block IPs, and rate-limit infrastructure is in place. SOC 2 Type II readiness review is planned, and controls are modeled after the SOC 2 trust services criteria.
All traffic uses TLS 1.2 or higher with HSTS preload. Data at rest is AES-256 encrypted. Every workspace is isolated by Postgres row-level security on every table, so one shop cannot read another shop's claims, customers, or financials, even by manipulating the URL.
Email and password authentication with bcrypt hashing and HTTP-only Secure session cookies. Role-based permissions cover Owner, Manager, Estimator, Technician, and Front Desk. Two-factor authentication is on our near-term roadmap. Failed login attempts are logged so a super-admin can review them manually and block an IP if needed. Rate-limit infrastructure is in place.
Audit log on every sensitive action: claim creation, supplement submission, customer access, role change, secrets change, integration connect, and disconnect. OAuth tokens, SMS credentials, and shop secrets are stored encrypted with a dedicated secrets-management layer and a separate secrets audit log. Daily automated backups via our infrastructure provider. Incident-notification target of 72 hours.
Failed login attempts are logged so a super-admin can review them manually and block an IP when warranted. Rate-limit infrastructure is in place. Automated brute-force detection and automatic IP blocking are not advertised as shipped capabilities.
Two-factor authentication is on our near-term roadmap. Today, each account is protected with email-and-password authentication, role-based permissions, and rate-limited login with failed-attempt logging for admin review.
Not yet. SOC 2 Type II readiness review is planned. Current controls (encryption, access review, audit logging, incident response) are modeled after the SOC 2 trust services criteria.