Security & Data Protection
ClaimDraft by Empowered Solutions Ltd
Effective January 1, 1970
Overview
ClaimDraft is designed to handle insurance claim documents professionally and securely. This page documents the technical and administrative safeguards we maintain to protect user data, including Nonpublic Personal Information (NPI) contained in uploaded insurance documents.
Data classification
| Data type | Classification | Storage & access |
|---|---|---|
| Account information (name, email, company) | Standard PII | Supabase Auth — encrypted, user-accessible only |
| Uploaded denial letters and scope documents | Sensitive NPI | Private Supabase Storage — user-accessible only, signed URLs |
| Generated letters | Work Product | Private Supabase Storage — user-accessible only |
| Intelligence layer data | Anonymized aggregate | carrier_patterns table — PII stripped, aggregate only |
| Payment information | Financial PCI | Stripe — ClaimDraft never stores card data |
Technical safeguards
- All data transmitted over encrypted TLS connections
- Supabase Row Level Security (RLS) enforces user-level data isolation at the database layer
- Uploaded files stored in private buckets — no public URLs, signed download URLs expire in 10 minutes
- File paths prefixed with authenticated user ID — cross-user access is architecturally impossible
- Server-side API keys — Anthropic API key and Supabase service role key never exposed to browser
- Authentication required for all data access — no anonymous data retrieval
- PII stripping occurs server-side before any data enters the intelligence layer
Third-party data processors
| Service | Purpose | Data shared | Their privacy policy |
|---|---|---|---|
| Supabase | Database, Auth, Storage | Account data, uploaded documents, generated letters | supabase.com/privacy |
| Anthropic | AI letter generation | Uploaded document content (processed in transit only) | anthropic.com/privacy |
| Stripe | Payment processing | Email address, subscription status | stripe.com/privacy |
Note: Anthropic processes uploaded documents in transit to generate letters. Per Anthropic's API terms, inputs are not used for model training and are not retained beyond the processing request.
Incident response
In the event of a data security incident affecting NPI, Empowered Solutions Ltd will notify affected users within 72 hours of discovery, consistent with applicable breach notification requirements. Notifications will be sent to the email address on file for each affected account.
Contact
Security questions or to report a vulnerability: security@claimdraft.app
