ClaimTally helps people document property for insurance claims. We use private storage, policy-scoped access, and server-side authorization to limit who can reach that information.
Safeguards at a glance
Scope / control
MEDIA
Private media storage
Inventory photos and audio are stored in non-public buckets. ClaimTally issues temporary signed links for user-facing media access after an ownership or accepted-collaboration check. Authorized processing services retrieve media server-side after the processing request is authenticated and authorized.
POLICY
Policy-scoped collaboration
Collaboration is tied to a specific policy. Policyholders choose whether to accept access and can revoke that access from Settings.
SESSION
Protected sessions
Password accounts require email verification. Production web sessions use secure, HTTP-only cookies, and the mobile app stores session state using the device operating system’s secure storage.
REQUEST
Layered authorization
Processing requests validate both the signed-in account and access to the specific policy, upload, or item before work begins.
In practice
How the safeguards work
Identity and access
ClaimTally validates account sessions on the server before returning private application data. Database row-level policies provide another authorization layer for policy, room, item, upload, and storage access. Database access tokens issued to the web application expire after a limited period and are not persisted as a separate browser login.
Files and claim data
Photos and audio are kept in non-public storage rather than public asset URLs. ClaimTally issues temporary signed links for user-facing media display after an ownership or accepted-collaboration check. Separately, authorized processing services retrieve media server-side after the processing request is authenticated and authorized.
Processing safeguards
ClaimTally’s processing services require an authenticated request and verify ownership or accepted policy access before processing inventory content. Background jobs use bounded retries and capacity limits. Application secrets used by those services are supplied through deployment secret-management mechanisms rather than public client configuration.
Activity records
ClaimTally records selected agent, administrative, and processing actions in activity or audit records. These records support review of sensitive workflows, but they do not capture every request or every change.
Transport and lifecycle
The ClaimTally web application is served over HTTPS and instructs supported browsers to keep using HTTPS. Account deletion removes core account and inventory records, then requests removal of associated stored media. Limited copies may remain temporarily in service-provider backups, logs, or legally required records as described in the Privacy Policy.
Privacy
Service providers and your data
ClaimTally relies on service providers to host the application, store data, process inventory, deliver messages, and support sign-in. The Privacy Policy explains what information is processed, why it is used, and the services involved.
If you believe you found a security issue, email security@claimtally.ai. Include the affected page or feature, a clear description, steps to reproduce, and the potential impact. Please do not include another person’s private data or perform testing that disrupts the service, changes data you do not own, or attempts to access another account.