Security and privacy

Plain-English trust for payroll-sensitive work.

See how ClaraOps keeps public evaluation separate from protected payroll evidence, support access, exports, and account requests.

Review the trust summary See compliance boundaries

Buyer questions

Answers before you start

What should stay out of public forms or email?

No PHI, payroll files, employee SSNs, credentials, raw payroll rows, or sensitive compliance details belong in public forms or routine email. Keep sensitive material inside the reviewed, protected workflow after access is set up.

Read security boundaries

Who can access data?

Access belongs to authenticated company users, owner-approved delegated operators, and reviewed support paths. Public marketing pages never expose private payroll rows, PHI, credentials, employee SSNs, or customer artifacts.

See access posture

How do export, deletion, and retention requests work?

Export, deletion, and retention requests are reviewed account workflows, not public-form promises. ClaraOps avoids unreviewed instant purge or legal commitments on public pages and routes data requests through the protected account/support process.

Read privacy posture

Protected company routes

Payroll-sensitive work belongs behind authenticated, tenant-scoped access with owner or delegated-operator review.

Reviewed support access

Support access is handled through consent or reviewed escalation paths rather than casual public email.

Redacted operating trail

Audit entries, export records, and review status are designed to be useful without exposing raw payroll rows publicly.

Clear trust limits

Security copy avoids unsupported certification, SLA, partner, or guarantee claims while showing the current posture plainly.

Last updated

May 27, 2026

This is public security posture for paid-beta evaluation, not a SOC 2 report, HIPAA certification, BAA, SLA, penetration-test report, bug bounty, or guarantee of uninterrupted availability.

Beta scope

Current paid-beta security scope

Security posture is scoped to the current hosted paid-beta product: authenticated company routes, tenant-scoped access, conservative public forms, reviewed support access, customer-controlled Google Drive destinations, and public security reporting through the dedicated contact path.

Contact

Security or privacy concern

Email security@claracaps.com without PHI, payroll files, employee SSNs, credentials, raw payroll rows, exploit payloads, or sensitive customer data.

Runtime smoke boundary

What was checked for paid-beta readiness

Source-backed smoke checks cover security headers, public/private cache and noindex/no-store boundaries, protected-route redirects, sitemap/robots separation, public form minimization, rate-limit posture, security report contact path, and Google Drive export/customer-controlled destination copy.

Dedicated security contact

Report a security or privacy concern

Email security@claracaps.com. Use this dedicated address for vulnerability reports, suspected unauthorized access, privacy/security incidents, or sensitive trust questions.

Please keep payroll files, PHI, employee SSNs, credentials, raw payroll rows, exploit payloads, and sensitive customer data out of public email.

Not sales or support

Security reports are separated from demo, pricing, and routine support conversations so they can be triaged without becoming a sales thread.

Triage owner and response path

Security reports are reviewed by the ClaraOps owner/operator triage path, separated from sales/demo requests and routine support follow-up. Initial acknowledgement target: two business days; validated high-priority issues move to containment, customer-safe communication, and remediation tracking before public disclosure.

No bug bounty implied

ClaraOps does not currently operate a public bug bounty or reward program. Good-faith reports are still welcome through the dedicated security contact path.

Contact paths

Safe contact and support handoff

Use the right public contact path for sales or fit questions, routine product support, and security or privacy concerns. Public email is for non-sensitive coordination only.

Public support paths are for non-sensitive coordination only. Do not include PHI, payroll files, employee SSNs, credentials, raw payroll rows, or sensitive compliance details in public email.

Sales or fit questions

Ask whether ClaraOps fits your practice, pricing, source systems, paid-beta scope, setup timing, or next step. Keep the message high level and non-sensitive.

Email support@claracaps.com about fit

Routine product support

Use routine support for setup questions, checklist clarification, access handoff, or product workflow confusion. Two-business-day acknowledgement target for routine support and security/privacy triage.

Email support@claracaps.com for support

Security or privacy concern

Use the dedicated security/privacy contact for suspected vulnerability, unauthorized access, privacy concern, or sensitive-data handling question. Do not include sensitive files or credentials in public email.

Email security@claracaps.com

Buyer-safe email templates

Use one sentence about your practice type, source systems, and question. Do not include PHI, payroll files, employee SSNs, credentials, raw payroll rows, or sensitive compliance details in public email.

What to expect

ClaraOps routes sales, fit, support, security, and privacy questions to the right non-sensitive handoff path. Sensitive onboarding material waits for the protected workflow and reviewed customer authorization.