Built for small tech teams handling sensitive data

We find the flaws in your HR SaaS
before your clients do.

Your clients, partners and candidates can already see things you'd rather they didn't. Better you find them first — before the next security questionnaire, or the next incident.

Book 15 minutesSee how we work
Ready before your next client audit
Report in 48h
Prioritized action plan
cleanissue — audit
cleanissue@audit:~$

Built for French HR, payroll, and recruiting SaaS — teams under 50.

The reality

More than CVs. More than payslips.
Data that can cost you a client.

An HR or payroll tool holds identities, salaries, contracts, employee records and candidate histories — all in one place. Most teams ship fast and never check what's already visible from the outside.

0

data breaches reported to CNIL in 2024

CNIL 2024

0

more vulnerabilities in AI-generated code (Cursor, Lovable, Copilot)

Veracode 2025

0

in CNIL fines in 2025 — 8.8× more than 2024

CNIL 2025

0

people affected by the France Travail breach

CNIL 2024

Sources: CNIL Annual Report 2024, Veracode GenAI Code Security Report 2025, ANSSI Cyber Threat Overview 2025.

How we work

3 steps. Zero impact on your team.

We check what's exposed, document each issue clearly, and hand you a ranked fix list. We never touch your production.

01

Outside view

We map what's reachable without a login: pages, subdomains, endpoints, exposed settings. Read-only — we change nothing.

24-48h
02

Clear findings

We explain each issue in plain language, with evidence. Enough for your team to act on the same day — not just file away.

Report in 48h
03

Action plan

We tell you what to fix first, and come back to check it's done.

Follow-up included
Our offers

Three plans. Zero surprises.

First Review

Quickly see what a client, partner or attacker already sees in your product.

  • What's visible without login: pages, endpoints, documents
  • Priority risks to fix first
  • Debrief with your tech team
  • Ideal before a client audit or security questionnaire
See the details
Recommended

Full Audit

For a full snapshot, a detailed report and a concrete fix plan.

  • Issues ranked by business impact
  • Data and user paths affected
  • Action plan matched to your stack
  • Post-fix verification included
  • Ready-to-paste answers for your security questionnaires
Talk about your context

Ongoing Monitoring

For teams shipping often, adding new integrations, and wanting an outside eye without hiring a security lead.

  • Regular checkpoints
  • Detect new exposures
  • An independent call on product-vs-security tradeoffs
  • Re-checks after each release
  • Team awareness workshop (optional)
See the plan

Most-requested stack audits

SupabaseFirebaseNext.jsWordPressLaravelAPI & webhooks
Case studies

What we found — what our clients fixed.

Engagement completedCritical

Anonymous client — online platform

Admin account creation with no authentication, through an endpoint left in the public JS bundle. Result: full access to every user's data.

Fixed quickly after our disclosure. Ongoing monitoring in place since.

Found in 2 min
Audit + monitoringCritical

Anonymous client — digital content marketplace

The entire paid catalog was downloadable without payment. Public storage, access keys in the code, no database-level access control.

Paid audit. Founder fixed within 48h. Ongoing support to clean up the backend.

Found in minutes
Authorized pentestCritical

Anonymous client — online training platform

An internal endpoint let anyone create an admin account with no authentication. Full chain: one request → account created → full access in under 2 minutes.

Authorized pentest. Fix delivered with a cleanup roadmap.

Exploited in under 2 min
Talk about your product
What clients say

What our clients tell us.

The audit surfaced issues we hadn't seen. Report was readable, concrete, and our tech team could use it as-is.
A

Founder, Anonymous client

Founder — SaaS vendor

A real issue we'd missed internally. Clear report, enough evidence to act on, and very professional throughout.
A

Founder, Anonymous client

Founder — digital product

Why CleanIssue

Built for HR SaaS teams without a security lead.

No security team needed

No heavy process, no technical prerequisites. We adapt to your setup — even for a team of three.

Clear and direct offer

A clear scope, a report a CTO or founder can use as-is, no jargon.

We know your stack

Supabase, Next.js, Firebase, Laravel: we see the same misconfigurations again and again.

Useful beyond the tech

The report helps you fix issues — and answer client questionnaires, reassure partners, and make progress on compliance.

Photo de Florian Bonamy
About

One person, from scan to fix.

Florian. Security researcher and founder of CleanIssue — a solo audit practice focused on French HR, payroll and recruiting SaaS vendors. I run fast external security reviews for these vendors, without the pentest overhead.

I check what a client, partner or attacker can already see from outside: access, data, documents, settings, and broken permission boundaries. The goal: clear priorities you can act on today.

Method and expertise

  • We never touch your production
  • Responsible disclosure (ANSSI / ISO 29147)
  • Supabase, Firebase, Next.js, Laravel expertise
  • Exposure mapping with GDPR-first prioritization
  • Priority sector: HR, payroll, recruiting
View full profileView audit methodology
FAQ

What people ask us most.

Blog

Latest articles

Legaltechconfidentiality4 min

Legaltech and attorney-client privilege: what vendors forget when storing acts

Legaltechelectronic signature4 min

Legaltech: electronic signature mistakes that weaken evidentiary value

Healthtechtelehealth4 min

Telehealth: video link security and shared attachments

View all articles
Get started

Describe your product. We reply within 24h.

Tell us about your product, your stack and your clients. We'll tell you honestly whether CleanIssue is the right fit.

or
Book 15 minutes