CLEANROUTE // COMPLIANCE
CleanRoute compliance
For cleaning company operators. What we ship, what is available on request, and what we explicitly do not claim.
CleanRoute is a cleaning-services dispatch and recurring-job product. No HIPAA scope. Compliance focus is worker-safety (OSHA-aligned chemical SDS distribution), labor-law (ABC contractor classification, time-on-site logs), and consumer privacy.
Scope of data
What this product processes when you operate it as intended:
- Customer address, gate codes, access notes
- Scheduled jobs and route assignments
- Worker time-on-site logs
- Photos before/after job
- SDS (Safety Data Sheet) distribution to crews
Worker-safety + labor-law specifics
Operational compliance most cleaning businesses overlook.
- SDS sheets attached per chemical SKU; crew-assigned and read-receipted.
- Time-on-site clock-in/clock-out captured with geofence stamp.
- Independent-contractor (ABC test) status flagged at the worker record; we surface the right paperwork by state.
- Customer access notes (gate codes, alarm codes) encrypted at rest and access-logged.
Access control
Workspace isolation, MFA, and password-reset hygiene apply across all tiers.
- Workspace data scoped by row-level checks; admin operations require an MFA-backed session.
- Engineering production access is hardware-key MFA, ticketed, and logged.
- Account password reset round-trips email + invalidates all prior sessions.
Transport + monitoring
What every customer gets, every product, by default.
- TLS 1.2+ everywhere, HSTS preload-eligible (`max-age=31536000; includeSubDomains; preload`).
- Edge rate-limiting on auth, intake, quote, onboarding, and global write-quotas (caddy-ratelimit).
- Synthetic monitor every 5 minutes; two-strike paging on Telegram + SMS.
PCI-DSS (SAQ-A scope)
Because card data is fully outsourced to Stripe-hosted forms, we are scoped under SAQ-A — the minimum-scope self-assessment questionnaire. We do not maintain a Cardholder Data Environment.
- Card data never touches our servers — we use Stripe Checkout and the Stripe Customer Portal.
- Stripe webhook signatures are HMAC-verified server-side with a per-endpoint signing secret.
- Subscription billing, dunning, refunds, and tax run inside Stripe; we never store full PANs or CVVs.
Privacy + consumer rights
Any individual whose data we process can request access, correction, or deletion at support@brainiacstechsolutions.com. We honor the Global Privacy Control (GPC) signal as a CCPA/CPRA opt-out automatically.
- California (CCPA/CPRA): access, deletion, correction, opt-out of sale/share, limit-use of sensitive PI. We do not sell or share data for cross-context behavioral advertising.
- EU/UK (GDPR/UK-GDPR): access, rectification, erasure, restriction, portability, objection. DPA available at /dpa.
- Breach notification: 45 CFR §164.404 (HIPAA), Cal Civ §1798.82, GDPR Art. 33/34.
- Retention windows disclosed in /privacy.
Accessibility (WCAG 2.1 AA target)
We target WCAG 2.1 AA on all customer-facing surfaces and run an automated axe-core audit on every release. The audit currently passes 0 serious/critical findings across the public marketing pages.
- Skip-to-content link on every page.
- Keyboard-navigable forms with visible focus rings.
- Honors prefers-reduced-motion on transition components.
- Automated axe-core CI gate (bin/audit-a11y.ts) blocks regressions.
What we do not claim or provide
We list these explicitly so there is no ambiguity:
- We do NOT submit payroll or contractor 1099s; export available.
- We are NOT an OSHA recordkeeping system; we facilitate worker safety, you remain the employer of record.
Resources
Questions? Email sales@brainiacstechsolutions.com with subject "CleanRoutecompliance". For BAA requests, use subject "BAA request" and include your legal entity name.