Security & Data Handling

This page describes how ClaimNarrative protects your data and your clients’ information. We built this page because we know insurance professionals need to understand exactly how their claim file data is handled before they can trust any tool.

Our Security Principles

1. Your data is your data. You own it. We don’t sell it, share it, or use it to train AI models.
2. Encryption everywhere. All data in transit is encrypted via HTTPS/TLS.
3. Minimum data collection. We only collect what’s needed to provide the Service.
4. No training on customer data. Your claim files never feed into AI model training.
5. Transparent processing. This page tells you exactly where your data goes.

How Your Data Flows

When you use ClaimNarrative to generate documentation:

1. You enter claim information into the input form
2. Your inputs are transmitted to our servers over an encrypted HTTPS connection
3. Our servers send the inputs to Anthropic’s Claude API to generate documentation
4. The generated output is returned to your browser
5. The output may be saved to your account for later access

When you use reference files:

Your uploaded files are stored in our database. AI extracts style patterns and stores them. The original file content is retained to allow re-extraction if needed. You can delete files anytime via the Reference Files interface.

When you upload Xactimate PDFs, photos, or field notes documents:

These files are processed in memory during your generation request. The extracted text/data is included in your saved claim file output, but the original uploaded files are NOT persistently stored after processing.

When you generate content:

Each generation is saved to your account history (My Claims) until you delete it. This includes the full output and your input data. Deleted items are soft-deleted (marked deleted_at) and purged from storage within 90 days.

At no point is your data:

• Sold to third parties
• Used for advertising
• Used to train AI models
• Shared with carriers, insurers, or competitors

Our Service Providers

We use the following providers to operate the Service. Each is contractually bound to handle data securely.

Anthropic (Claude API)

The AI generation is powered by Anthropic’s Claude API. Anthropic’s commercial API terms state that Anthropic does NOT train its models on data sent through the API. This means your claim file inputs are processed to generate output, then are NOT retained for model training.

For full details, refer to Anthropic’s data handling policies at anthropic.com.

Clerk (Authentication)

User account information (email, password, session tokens) is managed by Clerk. Clerk is SOC 2 Type II certified and handles authentication data with industry-standard security.

Vercel (Hosting)

Our application and database are hosted on Vercel. Vercel provides SOC 2 compliance, encrypted data at rest, and DDoS protection.

Stripe (Payments, when applicable)

If you pay for ClaimNarrative through our payment system, your payment information is processed by Stripe, which is PCI-DSS Level 1 certified (the highest level of payment card security compliance). We never see or store your full payment card information.

What We Encrypt

• Data in transit: All connections between your browser and our servers use HTTPS with TLS 1.2 or higher
• Authentication: Passwords are never stored in plaintext; Clerk uses industry-standard hashing
• Session tokens: Encrypted and rotated regularly

What We DON’T Do

We want to be explicit about what we don’t do, because adjusters reasonably worry about these things:

• We don’t sell your data. Not to data brokers, not to insurance industry data providers, not to anyone.
• We don’t use your inputs to train AI. Your claim files are processed once to generate output, then are not used for any other purpose.
• We don’t share with carriers. Even carriers whose formats we support do not have any visibility into your data.
• We don’t have employee access to your data. The system is operated by the founder; no third-party employees access claim file content.
• We don’t store output indefinitely. Generated outputs are stored only as long as needed to provide the Service.

What You Can Do

Delete Your Data

You can request deletion of your account and all associated data at any time. Email support@claimnarrative.com with subject “Data Deletion Request” and we will:

• Delete your account within 30 days
• Confirm completion via email
• Remove your data from backups within 90 days

Export Your Data

You can export your generated documentation at any time via the in-app export feature (Markdown or text format). Account information can be requested via email.

Limit What You Submit

You control what claim information you submit. We recommend:

• Redacting client names if not needed for the documentation
• Avoiding submission of personally identifiable information about insured parties unless necessary
• Using initials or claim numbers instead of full names where possible

Compliance Status

We are not currently SOC 2 audited. We are too small to justify the cost of a SOC 2 audit at this stage. However, our infrastructure providers (Vercel, Clerk, Stripe) are individually SOC 2 certified, which means the underlying security controls are in place.

If your firm requires a vendor security assessment, we are happy to:

• Complete a vendor security questionnaire
• Sign a Business Associate Agreement (BAA) or Data Processing Agreement (DPA) if needed
• Provide additional documentation about our practices

Contact support@claimnarrative.com to start that conversation.

Incident Response

If we become aware of a security incident affecting your data, we will:

1. Investigate the scope and impact immediately
2. Take steps to contain and remediate the incident
3. Notify affected users within 72 hours of confirming impact
4. Provide details on what data was affected and what steps you should take
5. Notify relevant regulators if required by law

To report a security concern, email support@claimnarrative.com with subject “Security Report.”

Questions

If you have questions about our security practices or want to discuss specific requirements for your firm: