Security at ClaimFlow
Your claim data is sensitive. We treat security as a core feature, not an afterthought.
How We Protect Your Data
Multiple layers of security protect your information at every step
Encryption at Rest
All sensitive data stored in our database is encrypted using Fernet symmetric encryption. Your claim documents and extracted data are protected even at the storage level.
Encryption in Transit
All communication between your browser and our servers is encrypted with TLS/SSL. API requests, file uploads, and data transfers are protected during transmission.
Enterprise Authentication
Powered by Clerk, our authentication supports SSO, multi-factor authentication, and role-based access control. Every API request is verified with JWT tokens signed by RS256.
PCI-Compliant Billing
All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. We never store, process, or have access to your credit card information.
Tenant Isolation
Each organization's data is logically isolated. Users can only access claims and reports belonging to their own organization. Role-based permissions control what each team member can see and do.
No Data Sharing
Your documents and extracted data are never shared with third parties, sold to data brokers, or used for AI model training. Your client information remains completely private.
Infrastructure Security
Cloud Hosting
ClaimFlow runs on Railway's managed infrastructure with automatic TLS certificates, DDoS protection, and isolated container deployments. Our database uses PostgreSQL with encrypted connections (SSL required), connection pooling, and automatic backups.
Application Security
Our application follows OWASP security best practices including input validation on all user inputs, parameterized SQL queries to prevent injection attacks, CORS protection, rate limiting on all API endpoints (both per-user and global), secure HTTP headers, and CSRF protection. Non-root container deployment further limits the attack surface.
Error Monitoring
We use Sentry for real-time error tracking and monitoring. Personal data is scrubbed from error reports before transmission. We actively monitor for security anomalies and respond to incidents promptly.
AI Processing Security
Documents sent to Anthropic's Claude API for extraction are processed in real-time and are not stored or used for model training per Anthropic's API data usage policy. Anthropic retains API logs for up to 30 days for safety monitoring, then deletes them automatically. All API communication uses encrypted HTTPS connections.
Authentication Security
Authentication is handled by Clerk, which provides enterprise-grade security including JWT tokens verified via JWKS (JSON Web Key Sets), RS256 cryptographic signing, issuer and audience claim verification, and automatic token expiration. Our authentication system fails closed — if verification cannot be completed, access is denied.
Billing Security
All billing enforcement uses atomic database operations to prevent race conditions. Subscription status is verified server-side on every billing-relevant request. Webhook signatures are cryptographically verified to prevent tampering. We never store payment card data on our servers.
AI Accuracy and Transparency
Our Commitment to Transparency
ClaimFlow uses artificial intelligence to extract data from insurance claim documents. While we strive for the highest possible accuracy, AI technology is inherently probabilistic and may produce outputs that contain errors, omissions, or inaccuracies.
All AI-generated outputs should be reviewed by qualified professionals before being used for claim decisions, client communications, or any professional purpose.
Factors that may affect extraction accuracy include document scan quality, handwritten annotations, non-standard document formatting, unusual layouts, and image resolution. We recommend verifying extracted line items, amounts, and calculations against the original source document.
What We Do
- Use state-of-the-art AI models for maximum accuracy
- Continuously improve our extraction pipeline
- Provide tools for you to review and correct extracted data
- Clearly label all AI-generated content
Your Responsibility
- Review all extracted data before professional use
- Verify amounts and calculations against source documents
- Ensure uploaded documents are legible and properly formatted
- Do not use AI outputs as the sole basis for claim decisions
Security Questions or Concerns?
If you have questions about our security practices, need to report a vulnerability, or require additional security documentation for your organization's review process, please reach out.