Skip to content

CCPA / CPRA

Statement

ClaimGuard's CCPA / CPRA posture mirrors its GDPR posture. We act as a service provider under the CCPA's terminology — we process personal information on behalf of customer-businesses for the customer's specified business purpose and do not "sell" or "share" personal information for ClaimGuard's own purposes.

The technical controls that satisfy California-specific requirements (reasonable security, limited retention, support for consumer-rights fulfillment via the controlling customer) are the same controls described under GDPR. The paperwork artifacts (a service-provider addendum, a published privacy notice, a documented "do not sell / share" stance) are not yet formalized — that's the gap that keeps this control at partial.

Implementation

What we are, CCPA-shape

  • Role. ClaimGuard is a service provider under Cal. Civ. Code §1798.140(ag). The customer is the business.
  • No selling. ClaimGuard does not sell personal information.
  • No sharing for cross-context behavioral advertising. ClaimGuard does not share personal information for that purpose.
  • No personal-information processing for ClaimGuard's own commercial purposes beyond providing and improving the service to the customer-business.

Technical controls satisfying "reasonable security"

The CCPA expects "reasonable security procedures and practices appropriate to the nature of the information." The same set of controls already documented across this portal apply:

  • Encryption at rest (GMEK) across all stored personal information. See Encryption at rest.
  • Role-and-org access control with audit-logged privileged actions. See Authorization and Audit logging (cloud).
  • Backup and restore with documented procedure. See Backups.
  • Vulnerability management with annual deferral renewal. See SCA and SAST.
  • Documented subprocessors with EU-region storage. See Subprocessors.

Consumer rights

For California consumers whose personal information is in a customer- business's tenant, ClaimGuard supports the customer-business in fulfilling rights:

  • Right to know / access: the customer-business can export the consumer's data via the application UI / API.
  • Right to delete: the customer-business invokes the relevant delete operations.
  • Right to correct: invoked similarly via the customer-business.
  • Right to opt out of sale / sharing: ClaimGuard does not sell or share personal information, so this right is satisfied by default.
  • Right to limit use of sensitive personal information: ClaimGuard does not currently process the categories the CCPA defines as "sensitive personal information" (no SSN, government identifier, precise geolocation, racial / ethnic / religious / union data, genetic data, health, sex life, financial-account login). See Data classification for the negative inventory.

What's missing for a clean CCPA story

  • No published service-provider addendum on this portal.
  • No published privacy notice customer-facing on this portal. Cross-listed on Privacy notice (planned).
  • No documented "do not sell or share" attestation distinct from this page.
  • No DSR workflow for ClaimGuard-routed consumer requests; today the customer-business is the first contact.
  • No retention statement per personal-information category — cross-listed on Data retention as a partial control today.

Status

partial — verified 2026-04-29.

What's in place:

  • "Reasonable security" technical controls described elsewhere on this portal.
  • A negative inventory of "sensitive personal information" categories ClaimGuard does not collect.
  • Subprocessor disclosure with EU-region residency.

Known gaps

  • No service-provider addendum template hosted here.
  • No public privacy notice.
  • No documented opt-out / "do not sell or share" attestation page.
  • No DSR workflow for direct consumer requests.
  • No per-category retention statement.

Roadmap

  • Service-provider addendum PDF on this portal.
  • Privacy notice at Privacy notice.
  • DSR workflow routed through security@dtectvision.ai (shared with GDPR DSRs).
  • Per-category retention statement added to Data retention.
  • Annual review of CCPA scope with founder sign-off — combined with GDPR review for efficiency.