Your claim data is sensitive. We treat it that way.

Encryption

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Check images, signatures, and packet PDFs are stored in encrypted object storage with signed, short-lived access URLs.

Authentication

Account passwords are hashed using bcrypt. Sessions use secure, http-only cookies with CSRF protection. Enterprise plans support SSO via Google Workspace and Microsoft Entra ID.

Access control

Every claim and document is scoped to the workspace that created it. Internal access to customer data is limited to a small number of engineers and is logged. We don't read your documents except when directly required to provide support that you've requested.

E-sign integrity

Every signature event is captured with timestamp, IP address, user-agent, and a cryptographic hash of the document at time of signing. Audit trails are immutable and downloadable.

Infrastructure

CoPayee runs on hardened cloud infrastructure with automated backups, daily vulnerability scanning, and dependency monitoring. Production access requires hardware-backed 2FA.

AI processing

CoPayee uses Anthropic's Claude models for OCR, document generation, and the in-app assistant. Your documents are sent to Anthropic's API for processing but are not used to train any model, per Anthropic's commercial terms. No claim data is shared with any other third party.

Compliance posture

We're early-stage and do not yet carry SOC 2 certification, but we build to SOC 2 Type II requirements and will pursue formal certification as our customer base grows. Enterprise customers can request our current security documentation and vendor questionnaire responses.

Report a vulnerability

If you believe you've found a security issue, please email security@copayee.com. We take reports seriously and respond within 48 hours.