Security
How we protect your data
Patent intelligence is sensitive work. This page documents our security practices, infrastructure, data handling, and compliance roadmap so you can make an informed decision about using ClaimHit.
✓ GDPR compliant✓ TLS 1.2+ encryption✓ AES-256 at rest◈ SOC 2 Type I — in preparation○ ISO 27001 — planned
Infrastructure
ClaimHit is built on enterprise-grade cloud infrastructure. We do not operate our own servers — all infrastructure is managed by providers who maintain their own security certifications.
Vercel
Application hosting & global CDN
SOC 2 Type II · ISO 27001
Supabase
Database, authentication & storage
SOC 2 Type II · GDPR DPA
Anthropic
Claude AI inference
SOC 2 Type II · Zero data retention
OpenAI
GPT-4o inference
SOC 2 Type II · API data not used for training
Google Cloud
Gemini inference
ISO 27001 · SOC 2 · SOC 3
PayU India
Payment processing
PCI DSS Level 1
Data security
🔒 Encryption in transit
All data between your browser and ClaimHit is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints — HTTP requests are automatically redirected.
💾 Encryption at rest
All data stored in our Supabase database is encrypted at rest using AES-256. Backups are also encrypted. Passwords are hashed using bcrypt.
🛡 Row-level security
Every database table uses Supabase Row Level Security (RLS) policies. Users can only access their own data. Team members can only access their team's data.
🔑 Authentication
Authentication is handled by Supabase Auth using JWT tokens with short expiry. We support email/password authentication with secure password reset flows.
🏗 Infrastructure isolation
Each environment (production, preview) uses separate API keys, database credentials, and secrets. No shared credentials between environments.
📋 Access control
Production database access is limited to authorised personnel only. All access is logged. We follow the principle of least privilege for all system access.
How patent data is handled
Patent numbers are public information. When you enter a patent number, ClaimHit fetches the patent data from USPTO and EPO public APIs and transmits it to AI providers for analysis. Patent numbers and their public claim text are not confidential — they are published in public registries.
AI providers do not retain your data. Anthropic, OpenAI, and Google operate zero-data-retention or no-training policies on API calls by default. Your patent queries are processed and not stored by these providers. We do not transmit your account identity (name, email, company) to AI providers — searches are anonymous at the API level.
Your search history and results are stored in our Supabase database, accessible only to your account (or your team, if you are in a team workspace). We retain search results for the life of your account to provide the search history and re-run features. When you delete your account, all search history is deleted within 30 days.
Your expert review requests contain more sensitive information — target names, case notes, budget. This data is stored securely and accessible only to you and ClaimHit's expert team. It is retained for 7 years for legal and accounting purposes, consistent with standard professional services records requirements.
Incident response
In the event of a data breach or security incident that affects your personal data:
- We will assess the incident within 24 hours of discovery
- We will notify affected users by email within 72 hours if the breach poses a risk to their rights — in compliance with GDPR Article 33
- We will notify the relevant supervisory authority within 72 hours where required
- We will document all incidents and our response in our internal security log
To report a security vulnerability, email security@claimhit.com. We aim to acknowledge all reports within 48 hours.
Compliance roadmap
We are committed to meeting the security standards required by law firms, enterprise IP teams, and technology transfer offices. Here is our current compliance status and roadmap:
✓ CompleteGDPR compliance
Privacy policy, cookie consent, data subject rights, DPA with Supabase, data deletion capability. Completed April 2026.
✓ CompleteTLS / encryption
All data encrypted in transit and at rest. Implemented at launch.
✓ CompleteRow-level security
All database tables protected by RLS policies. Users can only access their own data.
◈ In progressSOC 2 Type I
Preparation in progress. Target completion Q3 2026. Includes security, availability, and confidentiality trust service criteria.
○ PlannedSOC 2 Type II
Planned following Type I completion. Requires 6–12 month observation period. Target: Q1 2027.
○ PlannedISO 27001
Planned for European enterprise clients who prefer ISO 27001 over SOC 2. Target: 2027.
○ PlannedPenetration testing
Annual third-party penetration test planned for Q4 2026.
Security contact
For security enquiries, vulnerability reports, or to request our security documentation: