Skip to security information

Security

How ClaimTally protects your data

ClaimTally helps people document property for insurance claims. We use private storage, policy-scoped access, and server-side authorization to limit who can reach that information.

Safeguards at a glance

MEDIA

Private media storage

Inventory photos and audio are stored in non-public buckets. ClaimTally issues temporary signed links for user-facing media access after an ownership or accepted-collaboration check. Authorized processing services retrieve media server-side after the processing request is authenticated and authorized.

POLICY

Policy-scoped collaboration

Collaboration is tied to a specific policy. Policyholders choose whether to accept access and can revoke that access from Settings.

SESSION

Protected sessions

Password accounts require email verification. Production web sessions use secure, HTTP-only cookies, and the mobile app stores session state using the device operating system’s secure storage.

REQUEST

Layered authorization

Processing requests validate both the signed-in account and access to the specific policy, upload, or item before work begins.

In practice

How the safeguards work

Identity and access

ClaimTally validates account sessions on the server before returning private application data. Database row-level policies provide another authorization layer for policy, room, item, upload, and storage access. Database access tokens issued to the web application expire after a limited period and are not persisted as a separate browser login.

Files and claim data

Photos and audio are kept in non-public storage rather than public asset URLs. ClaimTally issues temporary signed links for user-facing media display after an ownership or accepted-collaboration check. Separately, authorized processing services retrieve media server-side after the processing request is authenticated and authorized.

Processing safeguards

ClaimTally’s processing services require an authenticated request and verify ownership or accepted policy access before processing inventory content. Background jobs use bounded retries and capacity limits. Application secrets used by those services are supplied through deployment secret-management mechanisms rather than public client configuration.

Activity records

ClaimTally records selected agent, administrative, and processing actions in activity or audit records. These records support review of sensitive workflows, but they do not capture every request or every change.

Transport and lifecycle

The ClaimTally web application is served over HTTPS and instructs supported browsers to keep using HTTPS. Account deletion removes core account and inventory records, then requests removal of associated stored media. Limited copies may remain temporarily in service-provider backups, logs, or legally required records as described in the Privacy Policy.

Privacy

Service providers and your data

ClaimTally relies on service providers to host the application, store data, process inventory, deliver messages, and support sign-in. The Privacy Policy explains what information is processed, why it is used, and the services involved.

Read the Privacy Policy

Disclosure

Report a security concern

If you believe you found a security issue, email security@claimtally.ai. Include the affected page or feature, a clear description, steps to reproduce, and the potential impact. Please do not include another person’s private data or perform testing that disrupts the service, changes data you do not own, or attempts to access another account.

Email security@claimtally.ai