ClaimNorth Inc. is pursuing SOC 2 Type II with anticipated report-in-hand within 5–7 months. This page is the live source of truth for our security posture — last updated 2026-05-27.
| Criteria area | Implementation | Status |
|---|---|---|
| CC6.1 Logical access | Password + 2FA TOTP, SAML 2.0 + OIDC SSO, role-based access | ✓ Operational |
| CC6.2 User provisioning | Invite-token-based onboarding with role assignment + audit logging | ✓ Operational |
| CC6.3 Access lifecycle | Active session tracking, owner-visible revoke at /settings/sessions | ✓ Operational |
| CC6.4 Stale access | 2FA re-verification after 7 days inactivity on sensitive actions | ✓ Operational |
| CC6.6 Authenticated integrations | HMAC-SHA256 signed outbound + verified inbound webhooks | ✓ Operational |
| CC6.7 Encryption in transit | TLS 1.2+ enforced via HSTS + Cloudflare edge | ✓ Operational |
| CC6.8 Encryption at rest | 2FA secrets + backups column-level encrypted (Fernet); full DB SQLCipher migration on roadmap | ◐ Partial |
| CC7.1 Continuous monitoring | Sim harness + p99 dashboard + sentry-compatible exception capture | ✓ Operational |
| CC7.2 Backups + restore | Daily encrypted backups with quarterly restore drill | ✓ Operational |
| CC7.3 Incident response | Documented IR plan with 4-tier severity classification | ✓ Operational |
| CC8.1 Change management | Wave-numbered change log + Source-of-Truth mirror | ✓ Operational |
| CC9.1 Vendor management | Vendor inventory at /admin/vendors with SOC 2 status tracking | ✓ Operational |
| A1.2 Availability — backup | Same as CC7.2 | ✓ Operational |
| A1.3 Availability — BCP | BCP/DR plan with 4h RTO, 24h RPO targets | ✓ Operational |
| C1.1 Confidentiality protection | Org-level data isolation enforced before every request | ✓ Operational |
| C1.2 Confidentiality disposal | 30-day soft-delete + cron purge with audit trail | ✓ Operational |
| P1.1 Privacy notice | /privacy, /terms, /cookies | ✓ Operational |
| P5.2 Data portability | Owner-requestable per-org ZIP export (GDPR Art. 20) | ✓ Operational |
| P6.1 Right to deletion | Customer data-deletion request flow with 7-day cooling-off (GDPR Art. 17) | ✓ Operational |
In transit: All connections to app.claimnorth.com require TLS 1.2 or higher, enforced via HSTS preload. Cloudflare terminates TLS at the edge with modern cipher suites.
At rest: 2FA TOTP secrets and backup files are encrypted at the application layer using Fernet (AES-128 + HMAC). The full SQLite database is currently stored with file-permission isolation (mode 0600, service-user-only); SQLCipher full-database AES-256 encryption is planned for completion within 90 days.
Key management: Encryption keys are stored in /etc/default/scopeforge-estimator with file mode 0600 and service-user ownership. Keys are rotated annually or on suspected compromise.
SMS-based 2FA is not supported (SIM-swap risk).
/settings/export (GDPR Article 20)/settings/audit-log/settings/sessions/settings/api-tokensClaimNorth uses the following third-party services to deliver the product. Each is bound by a Data Processing Agreement (DPA). See /security/sub-processors for the full list with data flows.
If you believe you have found a security vulnerability in ClaimNorth, please email security@claimnorth.com. We respond within 1 business day. We do not yet operate a paid bug bounty but credit researchers in our acknowledgments page (when first researcher discloses).
Please give us reasonable time to remediate before public disclosure.