Skip to main content
ClaraPay

Security Policy

Last updated: April 8, 2026

Our Commitment to Security

ClaraPay handles sensitive financial and personal information. We implement technical, organizational, and physical safeguards to protect your data against unauthorized access, disclosure, alteration, and destruction.

Encryption

  • In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). We do not allow unencrypted HTTP connections.
  • At rest: Sensitive data, including personal information and payment records, is encrypted at rest in our database infrastructure.
  • Payment data: ClaraPay does not store raw card numbers. All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor.

Access Controls

Access to consumer data is restricted on a need-to-know basis. Our access control practices include:

  • Role-based access control (RBAC) with least-privilege principles
  • Multi-factor authentication required for all staff accounts
  • Row-level security enforced at the database layer
  • Audit logging of administrative access to sensitive records

Data Retention

We retain personal information only as long as necessary for the purpose it was collected, or as required by law. Debt account records are typically retained for seven years from account closure to satisfy FDCPA and applicable state record-keeping requirements. You may request deletion subject to these legal retention obligations — see our CCPA rights page (California residents) or our Privacy Policy.

Infrastructure Security

  • Hosted on Vercel (edge network) and Supabase (SOC 2 Type II certified)
  • Automated dependency vulnerability scanning
  • Regular security reviews of application code
  • Rate limiting on all public-facing API endpoints
  • CSRF protection on all authenticated state-changing requests

Breach Notification

In the event of a data breach that affects your personal information, ClaraPay will notify affected individuals in accordance with applicable state and federal breach notification laws. Notifications will be made within the timeframes required by law, which vary by state but are typically between 30 and 90 days of discovery.

Reporting a Security Issue

If you believe you have discovered a security vulnerability in our systems, please report it responsibly through our contact page. Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and address them.