Security
How we protect your data
Your data belongs to you
Every firm's screening records are isolated at the database level using row-level security. This isn't an application-level check that could be bypassed by a bug. It is enforced by the database itself. Even if there were a flaw in our code, the database would reject any query that attempted to read another firm's data. We verified this empirically: a request authenticated with an anonymous key returns zero rows from every table containing user data.
Everything is encrypted
All traffic between your browser and ClientCheck is served over HTTPS, enforced by HTTP Strict Transport Security (HSTS) with preloading. Your data is encrypted at rest using AES-256 on infrastructure operated by Supabase, which holds SOC 2 Type II certification. Screening results, PDF records, and client notes are never stored unencrypted.
Payments are handled by Stripe
ClientCheck uses Stripe for all payment processing. We never receive, store, or transmit card numbers. Stripe holds PCI DSS Level 1 certification, the highest level available. Every payment webhook is cryptographically verified using Stripe's signature validation before we act on it. Fake payment confirmations are rejected at the infrastructure level.
Security is tested on every deployment
We run automated end-to-end security tests on every code change before it reaches production. Our dependency tree is continuously scanned for known vulnerabilities using Snyk. Authentication is required on every API route that reads or writes user data. We conduct regular reviews of access policies and API authorization logic.
Built on enterprise infrastructure
ClientCheck runs on Vercel (SOC 2 Type II, ISO 27001) and Supabase (SOC 2 Type II). Both providers maintain 99.99% uptime SLAs and operate global edge networks. We are not responsible for the underlying infrastructure certifications, but we chose our infrastructure partners specifically because of them.
Security at a Glance
| Security Control | Status |
|---|---|
| Encryption in Transit | TLS 1.3 / HTTPS enforced |
| Encryption at Rest | AES-256 (Supabase) |
| Row-Level Security | Enabled on all tables |
| Authentication | Required on all data endpoints |
| Session Management | Supabase Auth (JWT) |
| Payment Processing | Stripe (PCI DSS Level 1) |
| Webhook Verification | Cryptographic signature validation |
| HTTP Security Headers | HSTS, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy |
| Clickjacking Protection | X-Frame-Options: DENY |
| MIME Sniffing Protection | X-Content-Type-Options: nosniff |
| Dependency Scanning | Snyk (continuous) |
| Infrastructure | Vercel (SOC 2 Type II, ISO 27001) |
| Database | Supabase (SOC 2 Type II) |
| Automated Testing | End-to-end tests on every deployment |
| Idempotent Payments | Stripe session deduplication |
Found a vulnerability?
We take security reports seriously. If you've discovered a potential security issue, please contact us at security@clientcheck.ai before disclosing it publicly. We aim to respond within 48 hours and will work with you to address the issue promptly.