We built ClaroLoop with security from day one. Not as an afterthought. Here is exactly how we protect your financial data.
How We Protect You
All sensitive financial data is encrypted at rest using AES 256 GCM, the same standard used by banks and government agencies. Data in transit is protected by TLS 1.2+ encryption across every connection.
Every customer's data is completely isolated. Your employees cannot see another company's data. Our API enforces tenant separation on every single request. We tested this with cross tenant access attempts and they are blocked with a 403 every time.
We use secure JWT tokens with expiration for all authenticated sessions. Passwords are hashed with bcrypt and never stored in plain text. Login responses never contain password data. User objects only return safe fields.
All API endpoints are rate limited to 50 requests per 15 minutes per user. This prevents brute force login attempts, credential stuffing, and API abuse. Automated attacks are stopped before they start.
Every data access, modification, and sync event is logged with timestamps, user IDs, and organization context. You have a complete trail of who accessed what and when.
Every connection to ClaroLoop is encrypted with HTTPS. Our frontend runs on Vercel with automatic TLS certificates. Our API runs on Railway with enforced HTTPS. HTTP Strict Transport Security headers are enabled with a two year max age. There is no way to access ClaroLoop over an unencrypted connection.
Defense in Depth
ClaroLoop is built on SOC 2 aligned security practices. We are currently pursuing formal SOC 2 Type I certification. Our infrastructure runs on enterprise grade cloud providers (Vercel and Railway) that maintain their own SOC 2 and ISO 27001 certifications.
Email us at security@claroloop.com. We take every inquiry seriously.
Start Free Trial