Payor Lens

Security & Data Practices

A plain-language overview of what Payor Lens stores, what it doesn't, and how access is protected. Built for practice managers evaluating whether to put billing data into a new tool.

What Payor Lens stores

  • Rate data. Negotiated rates payers publish in their Machine-Readable Files (MRFs) — the source data is public. We process it into per-code and per-payer summaries so the app loads quickly.
  • Your uploaded claims. The columns needed for analysis: billing code, payor, amounts, service date, state, provider type, claim status, denial codes, and other adjudication detail. The raw CSV file bytes are parsed in memory and discarded — only the per-line records are persisted.
  • A hashed patient identifier — if your export includes one. When your claims export has a patient identifier column, we hash it on ingest with a salt unique to your practice and store only the hash. The raw value is never persisted. The hash lets us group services for the same patient across uploads — for example, to calculate panel size or detect repeated rebills of the same claim — without storing anything that could identify the patient. If your export doesn't include a patient identifier, analytics that depend on patient-level grouping label themselves as needing it rather than working with synthesized data.
  • Account data. Your email and account identifier (from Clerk, our auth provider), the practice TIN assigned to your account, and your role.
  • Feedback you submit. The text of anything you send through the in-app feedback modal, plus your email.

What Payor Lens never stores

  • Raw CSV files. Your upload is parsed in memory and the original bytes are discarded immediately. We keep only the parsed line items.
  • Direct PHI. Patient names, dates of birth, SSNs, member / subscriber IDs, medical record numbers, addresses, phone numbers, and free-text chart notes are detected and dropped before the row is persisted — even if they appear in your upload. The one exception is the hashed patient identifier described above; that's covered under “What Payor Lens stores” with the specific protections that apply.
  • Patient addresses. Not requested, not accepted, not stored.
  • Payment card information. None collected.

Where your data lives

  • Clerk — authentication and account identity
  • Turso (managed SQLite) — uploaded claims line items, account metadata, audit records
  • Amazon S3 — aggregated rate data (Parquet)
  • Vercel — application hosting

How access is protected

  • Invite-only. New accounts can only be created with an access token issued by an administrator. There is no open sign-up.
  • Email verification at sign-up. A verification code is sent to your email and must be entered before the account is activated.
  • Session expiry. You will be signed out automatically after an extended period and asked to re-authenticate.
  • Admin actions are logged. Every material change made by an administrator (issuing a token, deactivating an account, changing a practice's TIN) is recorded in an internal append-only audit log.

Questions

Security or data-handling questions can go to security@ironforgeintelligence.com.

Last reviewed: 2026-06-11