Security & Data Protection

ClaimDraft by Empowered Solutions Ltd

Effective January 1, 1970

§ 1

Overview

ClaimDraft is designed to handle insurance claim documents professionally and securely. This page documents the technical and administrative safeguards we maintain to protect user data, including Nonpublic Personal Information (NPI) contained in uploaded insurance documents.

§ 2

Data classification

Data typeClassificationStorage & access
Account information (name, email, company)Standard PIISupabase Auth — encrypted, user-accessible only
Uploaded denial letters and scope documentsSensitive NPIPrivate Supabase Storage — user-accessible only, signed URLs
Generated lettersWork ProductPrivate Supabase Storage — user-accessible only
Intelligence layer dataAnonymized aggregatecarrier_patterns table — PII stripped, aggregate only
Payment informationFinancial PCIStripe — ClaimDraft never stores card data
§ 3

Technical safeguards

  • All data transmitted over encrypted TLS connections
  • Supabase Row Level Security (RLS) enforces user-level data isolation at the database layer
  • Uploaded files stored in private buckets — no public URLs, signed download URLs expire in 10 minutes
  • File paths prefixed with authenticated user ID — cross-user access is architecturally impossible
  • Server-side API keys — Anthropic API key and Supabase service role key never exposed to browser
  • Authentication required for all data access — no anonymous data retrieval
  • PII stripping occurs server-side before any data enters the intelligence layer
§ 4

Third-party data processors

ServicePurposeData sharedTheir privacy policy
SupabaseDatabase, Auth, StorageAccount data, uploaded documents, generated letterssupabase.com/privacy
AnthropicAI letter generationUploaded document content (processed in transit only)anthropic.com/privacy
StripePayment processingEmail address, subscription statusstripe.com/privacy

Note: Anthropic processes uploaded documents in transit to generate letters. Per Anthropic's API terms, inputs are not used for model training and are not retained beyond the processing request.

§ 5

Incident response

In the event of a data security incident affecting NPI, Empowered Solutions Ltd will notify affected users within 72 hours of discovery, consistent with applicable breach notification requirements. Notifications will be sent to the email address on file for each affected account.

§ 6

Contact

Security questions or to report a vulnerability: security@claimdraft.app