Compliance & Privacy

Claudia can be used in healthcare workflows with the following conditions met:

• →A Business Associate Agreement (BAA) must be executed with your covered entity — Claudia does not execute BAAs directly as a Chrome extension.
• →Encryption at rest is provided (AES-256-GCM). Data in transit is not applicable — no data leaves your device.
• →Audit logs track all access, export, and deletion events.
• →Users are responsible for ensuring they only record workflows they are authorized to document.

Claudia automatically redacts payment card data:

• →Credit card numbers are detected via pattern matching and replaced with [CARD REDACTED] before storage.
• →Fields with autocomplete="cc-number", cc-csc", or similar hints are treated as sensitive and fully redacted.
• →CVV/CVC values are never stored. Screenshots of payment screens may still be captured — disable screenshots for payment workflows if required.

Local-only architecture is advantageous for GDPR — no data processor relationship is created with Claudia's infrastructure.

• →Explicit consent is collected before each recording session.
• →Right to erasure: any recording can be deleted at any time. "Delete All Data" clears everything immediately.
• →Data minimization: configurable retention policy (default 90 days) with auto-deletion.
• →No data is transmitted to Claudia — no Data Processing Agreement with Claudia is required.

• →Consent is obtained before recording begins.
• →Users can delete any or all recordings at any time (right to deletion).
• →No sale or sharing of personal data — Claudia does not transmit data externally.

• →Encryption at rest satisfies the GLBA Safeguards Rule requirement to protect customer financial information.
• →Organizations using Claudia must include it in their written information security plan (WISP).
• →Audit logs support access control documentation requirements.

• →Explicit consent before recording; auto-deletion after configurable retention window.
• →No student data leaves the device. Institution must approve use as part of their FERPA compliance program.

Claudia provides audit logging, but SOX's 7-year tamper-evident retention requirement is difficult to guarantee with local browser storage alone.

• →Audit logs can be exported as CSV and archived externally to meet retention requirements.
• →Organizations should supplement with a centralized audit log archival solution for full SOX compliance.

Claudia implements encryption, access controls, and audit logging consistent with SOC 2 principles. However, SOC 2 Type II requires an annual third-party audit of the organization's controls — not just the tool.

• →Enterprise customers should include Claudia in their own SOC 2 scope documentation.

FedRAMP requires an Authority to Operate (ATO) issued by a federal agency, which applies to cloud service providers — not local Chrome extensions. Claudia cannot be used for workflows involving Controlled Unclassified Information (CUI) in government contexts.