How ClaimNorth protects your data. Updated continuously from live system metrics.
✓TOTP 2FAOwner accounts can enforce time-based one-time passwords via any authenticator app. Recovery codes provided.
✓SAML 2.0 + OIDC SSOSignature-verified SSO via Okta, Azure AD, OneLogin, Google Workspace, or any IdP supporting SAML/OIDC.
✓HMAC-signed webhooksEvery outbound webhook is HMAC-SHA256 signed (Stripe pattern: t=<ts>, v1=<sig>). Replay window 5min.
✓Per-tenant rate limitsToken-bucket rate limiting per org with per-tenant overrides; protects against runaway integrations.
✓Tenant-scoped queriesEvery database query is org_id-filtered. Audited by static analysis on every deploy.
✓Compliance audit logSOC 2 retention trail for every privileged action: data deletions, org purges, webhook probes, access changes.
✓Soft-delete + 30d restoreDeleted projects are recoverable for 30 days. Hard-delete via explicit purge with compliance backup ZIP.
✓CSP + HSTS + frame denyStrict Content-Security-Policy, HSTS preload, X-Frame-Options DENY on every response.
✓Daily backup + restore drillLocal snapshots + S3-compatible offsite copy. Restore drill runs on its own timer.
✓Service-user isolationApp process runs as dedicated unprivileged user; root not required for any normal operation.
SOC 2 evidence trail viewable at /admin/compliance-audit-log for authorized auditors.