Skip to content

Trust

Security at ClaimCircuit

Claims work involves sensitive customer information and high-stakes decisions. The controls below describe how ClaimCircuit is built today — what's actually in place, not aspirational.

  • SOC 2 Type II

    Attestation issued January 2026.

  • ISO 27001

    In progress.

  • HIPAA

    Not claimed.

Infrastructure & data protection

Hosting
AWS us-east-1, Northern Virginia.
Encryption at rest
AES-256 via AWS KMS.
Encryption in transit
TLS 1.3.
Tenant isolation
Logical separation via PostgreSQL Row Level Security, with a unique tenant_id on all tables.
Access control
RBAC enforced. MFA required for all users. SSO mandatory for Enterprise.
Audit trail
Append-only, immutable logs for all claim brief modifications, retained for 7 years.
Incident response
24/7 NOC monitoring, with a P1 response target under 2 hours.

AI governance

AI drafts the work for a qualified human to review. These are the controls that keep AI output accountable.

Model provider
Azure OpenAI Service, GPT-4o.
Data residency
Azure US East. No customer data leaves the USA geographic boundary.
Training policy
Zero-training clause. Client data is not used to improve foundation models without explicit opt-in.
Human-in-the-loop
The system generates suggestions. No claim is closed, denied, or approved without a registered user's e-signature.
Verification logic
AI-generated briefs cite the original document page and paragraph.
Auditability
Every AI output is tagged with its model version and prompt ID.

Application controls

Role-based access

Workspace members hold one of owner, admin, adjuster, reviewer, or viewer. Each role has scoped permissions enforced at the database layer through row-level security policies, not just in the UI.

Organization data isolation

Claims, evidence, customers, policies, AI outputs, and audit logs are partitioned by organization. Members of one workspace cannot read or write another workspace's records.

Private evidence storage

Uploaded evidence, claim documents, and media live in private storage buckets. Files are not publicly addressable; access is mediated by the application using the requester's session and workspace membership.

Audit logs and claim events

Sensitive actions are recorded to immutable audit logs and per-claim event timelines. Members of a workspace can review what happened, who acted, and when.

Admin-controlled AI

Each AI capability — FNOL structuring, document review, damage vision, policy match, triage, brief drafting, customer update drafting — has an explicit toggle. Owners and admins decide which capabilities are available, and human review is required by default.

Email preferences and unsubscribe

Customer-facing messages are never sent without an authorized human approving the draft. Recipients can manage email preferences and unsubscribe from non-essential mail at any time.

Responsible use of AI outputs

AI never approves, denies, settles, accuses, or sends customer messages on its own. AI output is treated as a draft for a qualified human to review, edit, and decide on.

Reporting a concern

Reach our security contact at security@claimcircuit.com. For details on what to include, see our responsible disclosure guidelines.

Operational status

Service area state and any active incidents are tracked on the status page. Incident response runs on 24/7 NOC monitoring with a P1 response target under 2 hours.