Security
How ClaimCMR protects your data
ClaimCMR processes sensitive freight claim data โ CMR consignment notes, commercial invoices, carrier correspondence, and financial records. We take the security of this data seriously. This page describes the technical and organizational measures we implement to protect it.
Infrastructure
Database
Supabase PostgreSQL hosted in Frankfurt, Germany (EU Central). Data never leaves the EU for storage.
Application hosting
Vercel serverless functions with EU region deployment where available. All compute runs on isolated, ephemeral containers.
CDN / DDoS protection
Cloudflare provides global edge caching, DDoS mitigation, and WAF rules. Request metadata is processed at the nearest edge node.
File storage
Supabase Storage (S3-compatible) in EU region. All uploaded documents are stored in the same Frankfurt region as the database.
Encryption
- At rest: AES-256 encryption for all data stored in Supabase, including database records, file uploads, and backups
- In transit: TLS 1.3 for all connections between your browser and ClaimCMR servers. HSTS enforced.
- API keys: Customer API keys are hashed (SHA-256) before storage. The original key is shown once at creation and never stored in plaintext.
- Passwords: Managed by Supabase Auth using bcrypt with adaptive cost factor. ClaimCMR never sees or stores plaintext passwords.
Access Controls
- Row-Level Security (RLS): Every database query is filtered by organization ID at the database level. Users can only access data belonging to their organization โ enforced by PostgreSQL, not application code.
- Role-based access: Organization members have defined roles. Admin operations require elevated privileges.
- Session management: Sessions are managed via Supabase Auth with secure, httpOnly cookies. Sessions expire after inactivity.
- API authentication: REST API access requires a per-organization API key with rate limiting. Keys can be revoked instantly.
AI Data Handling
ClaimCMR uses AI for document extraction, claim letter generation, and email parsing. We take specific measures to protect data during AI processing:
- No training: Neither Anthropic (Claude) nor Google (Gemini) use API-submitted data to train their models. This is confirmed in both providers' API terms.
- Ephemeral processing: AI providers process data in memory and do not retain it after the API response is returned.
- Minimal data: We send only the minimum data required for each AI task โ not your entire claim history.
- User control: Document extraction requires explicit user action. Email processing can be disabled by not using the inbound email feature.
Monitoring and Incident Response
- Error monitoring: Sentry captures application errors for rapid diagnosis. Error reports are anonymized where possible.
- Uptime monitoring: Automated health checks run continuously. Downtime is detected within minutes.
- Incident response: We maintain a written incident response plan. Data breaches are reported to the Lithuanian DPA (VDAI) within 72 hours and to affected customers within 48 hours, per GDPR Articles 33-34.
- Audit trail: All user actions within the platform are logged (Growth+ plans). Audit logs are retained for the duration of the subscription.
Backups and Disaster Recovery
- Daily automated backups: Full database backups run daily, stored in the EU region
- Point-in-time recovery: Available through Supabase infrastructure
- Backup deletion: When customer data is deleted, backup copies are purged within 30 days
Compliance
GDPR
Full compliance with EU General Data Protection Regulation. DPA available.
ePrivacy Directive
Cookie consent obtained before non-essential tracking. Analytics gated behind explicit consent.
EU Data Act
Data portability and switching rights guaranteed per Regulation (EU) 2023/2854.
Lithuanian law
Governed by Lithuanian data protection law. DPA: VDAI (Valstybine duomenu apsaugos inspekcija).
Responsible Disclosure
If you discover a security vulnerability in ClaimCMR, please report it responsibly to security@claimcmr.com. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly. We do not pursue legal action against security researchers acting in good faith.
Security questions: security@claimcmr.com
Related: Privacy Policy ยท Data Processing Agreement ยท Service Level Agreement
ยฉ 2026 ClaimCMR. All rights reserved.