For small tech teams handling sensitive data

Detect vulnerabilities in your HR SaaS
before your clients do.

CleanIssue is France's specialized cybersecurity audit firm for HR, payroll, and recruitment software publishers. Your clients, partners and candidates are already finding weak spots in your product — often before a security questionnaire or an incident. Better to identify them first.

134 expert articles published
Report delivered in 48h
OWASP & ANSSI methodology
cleanissue — audit
cleanissue@audit:~$ scan --target your-hr-app.com --mode passive
[✓] HR endpoints exposed — permissions need review
[✓] Employee data: too widely accessible
[✓] Report ready — fixes ranked → AUDIT-REVIEW.md
cleanissue@audit:~$

Built for French HR, payroll, and recruiting SaaS — teams under 50.

The reality

Sensitive data, often underestimated.

It's not just CVs and payslips. This is data that can lose you a client — or lead to far heavier legal consequences.

An HR or payroll tool centralizes identities, salaries, contracts, employee records and candidate histories — sensitive, sometimes regulated information. Teams ship fast, but nobody checks what's already exposed from the outside, against security and compliance best practices.

External Review

A first look at your real exposure.

The External Review is an initial security assessment for HR, payroll and recruiting SaaS vendors who want to understand precisely what a client, partner or malicious actor can see and access from the outside. We analyze exposed access, APIs, documents, roles and configurations — without touching your production environment.

What's included

Prioritized exposure surface

HR APIs, exports, payroll documents, roles, storage, webhooks, public configurations.

Demonstrated vulnerabilities

Every finding is backed by a reproducible proof or verifiable context.

Business-context risk reading

Vulnerabilities are linked to your real data: employee records, payslips, contracts, candidate histories.

Short, actionable debrief

A clear discussion with your team to know what to fix first.

Ideal for

HR, payroll or recruiting SaaS without a formalized external security review to date.
Teams under 50 people who want high visibility without launching a full pentest.
Preparing for a client security questionnaire, due diligence, or regulatory compliance.
Products already in production on Supabase, Firebase, Next.js, Laravel or custom APIs.
Why CleanIssue

A specialized audit firm for HR software vendors.

CleanIssue is a cybersecurity audit firm specialized in HR, payroll, and recruiting software vendors.

No security team needed

No heavy process, no complex technical prerequisites. The engagement adapts to your organization, even if you're a team of three.

Simple, readable offer

A clear scope, a report directly usable by a CTO or executive, without unnecessary jargon.

Expertise in real-world tools

Supabase, Firebase, Next.js, Laravel: we identify recurring misconfigurations in these modern environments.

Value beyond the technical

The report helps fix risks and answer client questionnaires, reassure partners, and document your compliance.

Why CleanIssue over a pentest firm?

The engagement starts faster and stays focused on what matters: identifying real exposures, without heavy mobilization of your teams.

The deliverable is designed as a document directly usable by a CTO or executive, with clear and actionable priorities.

CleanIssue draws on precise knowledge of environments used by modern vendors (Supabase, Firebase, Next.js, Laravel), enabling relevant analysis grounded in your technical realities.

We act as a first level of diagnosis, before deciding whether a deeper audit is needed.

Our offers

Four plans. Zero surprises.

Testing from outside

We test your application without any access, exactly like someone with bad intentions would.

First Review

€1,900 excl. VAT

Report delivered in 48h

Quickly see what a client, partner or attacker already sees in your product.

  • What's visible without login: pages, endpoints, documents
  • Priority risks to fix first
  • Debrief with your tech team
  • Ideal before a client audit or security questionnaire
See the details
Recommended

Full Audit

Custom quote

5 to 15 days

For a full snapshot, a detailed report and a concrete fix plan.

  • Issues ranked by business impact
  • Data and user paths affected
  • Action plan matched to your stack
  • Post-fix verification included
  • Ready-to-paste answers for your security questionnaires
Talk about your context
Case studies

What we found — what our clients fixed.

Engagement completedCriticalFound in 2 min

Anonymous client — online platform

Admin account creation with no authentication, through an endpoint left in the public JS bundle. Result: full access to every user's data.

Fixed quickly after our disclosure. Ongoing monitoring in place since.

Audit + monitoringCriticalFound in minutes

Anonymous client — digital content marketplace

The entire paid catalog was downloadable without payment. Public storage, access keys in the code, no database-level access control.

Paid audit. Founder fixed within 48h. Ongoing support to clean up the backend.

Authorized pentestCriticalExploited in under 2 min

Anonymous client — online training platform

An internal endpoint let anyone create an admin account with no authentication. Full chain: one request → account created → full access in under 2 minutes.

Authorized pentest. Fix delivered with a cleanup roadmap.

What clients say

What our clients tell us.

The audit surfaced issues we hadn't seen. Report was readable, concrete, and our tech team could use it as-is.
A

Founder, Anonymous client

Founder — SaaS vendor

A real issue we'd missed internally. Clear report, enough evidence to act on, and very professional throughout.
A

Founder, Anonymous client

Founder — digital product

Book a call

Your app has vulnerabilities. Let’s talk for 30 min.

A free intro call to assess your situation and define a concrete action plan.

Book a slot — 30 min

Confidentiel·Résultats concrets·0 jargon commercial

How we work

Three steps, zero impact on your production.

We analyze what's exposed, document each finding, and hand you a prioritized list of corrections. No modification to your environment.

Outside view

We map what's accessible without authentication: pages, subdomains, API routes, configurations and exposed access points. Everything is read-only — no modification or interaction with your infrastructure.

48h max

Clear diagnosis

Every finding is explained in business language, backed by technical evidence. The goal is to let you act quickly, not to produce yet another report to archive.

Report in 48h

Action plan

We deliver a prioritized list of corrections to integrate directly into your technical roadmap. Post-remediation follow-up is included to validate that exposures have been properly resolved.

Follow-up included
FAQ

What people ask us most.

A pentest goes further: it simulates an attack, needs more access and formal scoping. Our External Review stays focused on what's already exposed — faster to launch, better fit for a small team that wants a first snapshot.

French vendors under 50 people handling sensitive data without a security team. First priority: HR, payroll, recruiting software. Second: healthtech and legaltech.

Because the engagement starts faster, the deliverable is designed for a CTO or executive, and we know the tools modern vendors actually use (Supabase, Firebase, Next.js, Laravel). A first concrete check before deciding whether to go deeper.

No. CleanIssue never downloads, stores or exfiltrates personal data. When an exposure is identified, it is demonstrated minimally and in a controlled manner, solely to establish the technical reality. This is a non-negotiable principle of the engagement.

Yes. The report documents every personal-data exposure in relation to GDPR obligations, notably Articles 32 (security of processing) and 33 (breach notification). A concrete artifact to present during a CNIL check, compliance audit, or client request.

SaaS products and business portals built with Supabase, Firebase, Next.js, Laravel, or custom APIs. Some custom WordPress builds may also be covered. Priority: HR, payroll and recruiting software.

A scanner will tell you your SSL cert is valid. It won't see that your payroll API is exposing every client's payslips. We look for the real access mistakes: who sees what, and whether that's intended.

Contact

Tell us about your product. We reply within 24h.

Tell us about your product, your stack and your client context. We'll send you a recommendation on the review level best suited to your situation.

or
Book 30 minutes