HIPAA, GDPR & PCI-DSS SOP Documentation

Claudia can be used in healthcare workflows with the following conditions met:

• →A Business Associate Agreement (BAA) must be executed with your covered entity. Claudia does not execute BAAs directly as a Chrome extension.
• →Encryption at rest is provided (AES-256-GCM). Data in transit is not applicable — no workflow or recording data leaves your device. (License activation sends a device identifier and license key to Claudia's server; see note above.)
• →Audit logs track all access, export, and deletion events.
• →Users are responsible for ensuring they only record workflows they are authorized to document.

Claudia automatically redacts payment card data:

• →Credit card numbers are detected via pattern matching and replaced with [CARD REDACTED] before storage.
• →Fields with autocomplete="cc-number", cc-csc", or similar hints are treated as sensitive and fully redacted.
• →CVV/CVC values are never stored.
• →Payment page screenshot toggle — enable in Settings to automatically skip screenshots on checkout, payment, and billing pages. Detects Stripe, PayPal, Braintree, Square, and common payment URL patterns.

Local-only architecture is advantageous for GDPR — because no workflow data is transmitted to Claudia's servers, a data processor relationship for recording data is designed to not exist, provided recordings remain local and are not transmitted externally.

• →Explicit consent is collected before each recording session via both the side panel and popup.
• →Right to erasure: delete individual recordings or all data at once from Settings.
• →Data minimization: configurable auto-deletion (30 to 365 days). URL query parameters (tokens, API keys) are automatically stripped on export.
• →No workflow data is transmitted to Claudia's servers — a Data Processing Agreement with Claudia is not expected to be required for recording data, provided recordings remain local. (License activation involves minimal data exchange; see our privacy policy for details.)

• →Consent is obtained before recording begins.
• →Users can delete individual recordings or all data at once from Settings (right to deletion).
• →Claudia does not sell or share recording data. No workflow recording data — screenshots, step content, or exports — is transmitted to Claudia's servers. (License activation involves minimal data exchange; see our privacy policy for details.) Audit logs can be exported as CSV for your records.

• →Encryption at rest satisfies the GLBA Safeguards Rule requirement to protect customer financial information.
• →Organizations using Claudia must include it in their written information security plan (WISP).
• →Audit logs support access control documentation requirements.

• →Explicit consent before every recording session via both the side panel and popup. Configurable auto-deletion (30 to 365 days) enforces data minimization.
• →No workflow or recording data leaves the device. (License activation sends a device identifier and license key to Claudia's server, but this is separate from any recorded workflow content.) Institution must approve use as part of their FERPA compliance program.

Claudia provides audit logging with CSV export, but SOX's 7-year tamper-evident retention requirement is difficult to guarantee with local browser storage alone.

• →Audit log CSV export is available in Settings — export regularly to meet external archival requirements.
• →Organizations should supplement with a centralized audit log archival solution for full SOX compliance.

Claudia implements encryption, access controls, and audit logging consistent with SOC 2 principles. However, SOC 2 Type II requires an annual third-party audit of the organization's controls — not just the tool.

• →Enterprise customers should include Claudia in their own SOC 2 scope documentation.

FedRAMP requires an Authority to Operate (ATO) issued by a federal agency, which applies to cloud service providers — not local Chrome extensions. Claudia cannot be used for workflows involving Controlled Unclassified Information (CUI) in government contexts.

Claudia is a professional productivity tool not directed at children under 13 and does not knowingly collect personal information from children. If you believe a child has used this extension, contact us and we will promptly delete any associated data.

• →Claudia uses local browser storage (IndexedDB, chrome.storage) with explicit consent before recording. No third-party tracking cookies are set by the extension.
• →The landing page uses Google Analytics for aggregate traffic measurement. No personal data from recordings is included in analytics.