Security at Claro

Protecting your data and your customers' data is foundational to everything we build. This page documents the infrastructure controls, the AI safety pipeline, and every guardrail active in production today.

Last updated: March 30, 2026

AI safety layers per ticket

Wrong refunds issued

100%

Write actions audit-logged

AI Safety Pipeline

Every ticket passes through these 12 checks in strict sequence. The first failure stops processing. Nothing downstream executes until each gate passes.

Global kill switch

A single environment flag halts all AI processing across every org instantly. No per-tenant action needed.

Shadow mode

The full pipeline runs and logs what would happen, but nothing is sent or executed. Review AI behaviour before going live.

Classification confidence gate

Every ticket is classified with a confidence score. Below the org's configured threshold, it routes to human review and is never guessed.

Short-circuit for spam & escalation

Spam, explicit escalation requests, and general inquiries are caught immediately after classification. No response is generated.

Abuse detection

Customer history is scanned for serial returners, repeated damage claims, and refund abuse before any write action proceeds.

Risk intelligence signals

External risk signals (chargebacks, fraud flags) are fetched per customer. Any high or critical flag sends the ticket to human review.

Merchant escalation rules

Merchants define custom conditional rules evaluated in priority order before any action is approved.

Entity validation

The order ID referenced in an action is cross-checked against what was extracted from the ticket. Mismatches block execution.

Monetary threshold

Every monetary action has a configurable auto-approve ceiling. Above it: human approval required. A second ceiling blocks entirely.

Rate & customer limits

Caps on org-wide executions per time window, and per-customer limits within a rolling period. Both block silently if the cap is hit.

First-time approval

The very first time any action executes for an org, a human must approve, regardless of amount or confidence.

Output guardrails

Every response is checked for PII, toxicity, blocked patterns, and merchant-defined rules before dispatch. Hard violations block delivery.

Action-Level Protection

Every write action (refund, cancel, exchange) has its own independent gate with monetary thresholds, entity checks, and a full audit trail.

Monetary thresholds: Refund action

Refunds < $50 Auto-execute

Refunds $50–$200 Human approval

Refunds > $200 Blocked

Monetary thresholds

Set a dollar ceiling per action. Below: auto. Above: human approval. Above a second ceiling: blocked. VIP customers get a configurable multiplier.

Entity validation

Order #1042 → entity #1042

Match confirmed

Order #1042 → entity #1038

Mismatch: blocked

Action references an order

No entity extracted: held

Entity validation

Order IDs in action params are cross-checked against entities extracted from the ticket. Mismatches and ambiguity block execution.

Action audit log

shopify.createRefund

AI (auto)

$34.00

SUCCESS

shopify.cancelOrder

AI → human

$142.00

PENDING

shopify.createRefund

Rate limit

$340.00

BLOCKED

Full audit log

Every action (successful, blocked, or pending approval) is logged with inputs, outputs, monetary value, and guardrail decision.

Human-in-the-Loop

These conditions always pause automation and require a human to approve before anything executes. No exceptions.

First-time action execution: always, regardless of amount

Monetary value above the auto-approve threshold

Order older than the configured max age

Customer flagged for abuse patterns

High or critical risk intelligence signal

Merchant escalation rule matched

Entity mismatch or ambiguous order reference

Classification confidence below org threshold

Output Guardrails

Every generated reply is checked before it reaches the customer. Hard violations block delivery.

PII detection

Auto-redact available

Email addresses

Phone numbers

Credit card numbers

Social Security Numbers

IP addresses

Blocked patterns

Merchant-configurable

Competitor mentions

Prohibited phrases

Legal trigger words

Internal terminology

Custom regex patterns

Toxicity & tone

Hard block on violation

Profanity

Threatening language

Discriminatory language

All-caps responses

Aggressive phrasing

Required content

Policy-driven

Policy reference in refund replies

Disclaimer requirements

ALWAYS_INCLUDE rules

Brand-mandated phrases

Custom required patterns

Infrastructure Security

The platform controls protecting data at rest, in transit, and across tenant boundaries.

Encryption at Rest

All integration credentials (OAuth tokens, API keys) are encrypted using AES-256-GCM with scrypt-based key derivation. Per-value salts ensure that identical credentials produce unique ciphertexts.

Encryption in Transit

All connections are protected by TLS. Vercel enforces HTTPS on all endpoints with no option to downgrade.

Tenant Isolation

Every data table includes an organization identifier. All queries are scoped by tenant at the application layer, with tenant IDs derived from authenticated sessions, never from user-supplied input.

Authentication

Powered by Supabase Auth with email/password authentication, session-based management with automatic refresh, and middleware-enforced route protection on all authenticated endpoints.

AI Context Isolation

AI context is constructed per-request with strict tenant scoping. There is no shared AI state between tenants. Each merchant's data is processed in complete isolation.

Credential Management

OAuth tokens are encrypted at rest, decrypted only in memory at the moment of use, and automatically refreshed. Credentials never appear in logs or error messages.

Audit Logging

Every AI action is logged with full context: who triggered it, what action was taken, which tool was used, the result, and the confidence score. Logs are tenant-scoped with 12+ month retention.

Background Job Isolation

All background jobs carry a tenant identifier. Job failures are isolated per tenant and cannot impact other organizations' workloads.

Rate Limiting

Per-tenant sliding window rate limiting via Upstash Redis prevents abuse and ensures fair resource allocation across all tenants.

Configurable Guardrails

Action thresholds, first-time approval requirements, and shadow mode give merchants full control over what the AI can do autonomously, with safe defaults out of the box.

Infrastructure

Hosting

Vercel: serverless edge network with automatic HTTPS, DDoS protection, and global CDN

Database

Supabase: managed PostgreSQL with automated backups, encryption at rest, and point-in-time recovery

AI Inference

Google Cloud: enterprise-grade AI infrastructure with comprehensive security certifications

Security Roadmap

We are transparent about what is implemented today versus what is planned.

Database-Level Row-Level Security (RLS)

In progress

Supabase RLS policies on all tenant-scoped tables as a second line of defense beyond application-layer scoping.

Per-Tenant Envelope Encryption

Planned

Dedicated encryption keys per tenant for complete credential isolation between organizations.

SOC 2 Type II Certification

In progress

Formal compliance program underway. Architecture has been designed with SOC 2 controls in mind from day one.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. Contact us at hello@useclaro.io with details of the vulnerability. We will acknowledge receipt within 48 hours and work with you to understand and address the issue promptly.

Vendor Security

Vercel Security Supabase Security Google Cloud Security

Automation you can actually trust

Every safeguard on this page is active in production today. No configuration required. Just connect and go.

Join the WaitlistView action library