Detect vulnerabilities in your HR SaaS
before your clients do.
CleanIssue is France's specialized cybersecurity audit firm for HR, payroll, and recruitment software publishers. Your clients, partners and candidates are already finding weak spots in your product — often before a security questionnaire or an incident. Better to identify them first.
Built for French HR, payroll, and recruiting SaaS — teams under 50.
Sensitive data, often underestimated.
It's not just CVs and payslips. This is data that can lose you a client — or lead to far heavier legal consequences.
An HR or payroll tool centralizes identities, salaries, contracts, employee records and candidate histories — sensitive, sometimes regulated information. Teams ship fast, but nobody checks what's already exposed from the outside, against security and compliance best practices.
A first look at your real exposure.
The External Review is an initial security assessment for HR, payroll and recruiting SaaS vendors who want to understand precisely what a client, partner or malicious actor can see and access from the outside. We analyze exposed access, APIs, documents, roles and configurations — without touching your production environment.
What's included
Prioritized exposure surface
HR APIs, exports, payroll documents, roles, storage, webhooks, public configurations.
Demonstrated vulnerabilities
Every finding is backed by a reproducible proof or verifiable context.
Business-context risk reading
Vulnerabilities are linked to your real data: employee records, payslips, contracts, candidate histories.
Short, actionable debrief
A clear discussion with your team to know what to fix first.
Ideal for
A specialized audit firm for HR software vendors.
CleanIssue is a cybersecurity audit firm specialized in HR, payroll, and recruiting software vendors.
No security team needed
No heavy process, no complex technical prerequisites. The engagement adapts to your organization, even if you're a team of three.
Simple, readable offer
A clear scope, a report directly usable by a CTO or executive, without unnecessary jargon.
Expertise in real-world tools
Supabase, Firebase, Next.js, Laravel: we identify recurring misconfigurations in these modern environments.
Value beyond the technical
The report helps fix risks and answer client questionnaires, reassure partners, and document your compliance.
Why CleanIssue over a pentest firm?
The engagement starts faster and stays focused on what matters: identifying real exposures, without heavy mobilization of your teams.
The deliverable is designed as a document directly usable by a CTO or executive, with clear and actionable priorities.
CleanIssue draws on precise knowledge of environments used by modern vendors (Supabase, Firebase, Next.js, Laravel), enabling relevant analysis grounded in your technical realities.
We act as a first level of diagnosis, before deciding whether a deeper audit is needed.
Four plans. Zero surprises.
What we found — what our clients fixed.
Anonymous client — online platform
Admin account creation with no authentication, through an endpoint left in the public JS bundle. Result: full access to every user's data.
Fixed quickly after our disclosure. Ongoing monitoring in place since.
Anonymous client — digital content marketplace
The entire paid catalog was downloadable without payment. Public storage, access keys in the code, no database-level access control.
Paid audit. Founder fixed within 48h. Ongoing support to clean up the backend.
Anonymous client — online training platform
An internal endpoint let anyone create an admin account with no authentication. Full chain: one request → account created → full access in under 2 minutes.
Authorized pentest. Fix delivered with a cleanup roadmap.
What our clients tell us.
“The audit surfaced issues we hadn't seen. Report was readable, concrete, and our tech team could use it as-is.”
Founder, Anonymous client
Founder — SaaS vendor
“A real issue we'd missed internally. Clear report, enough evidence to act on, and very professional throughout.”
Founder, Anonymous client
Founder — digital product
Your app has vulnerabilities. Let’s talk for 30 min.
A free intro call to assess your situation and define a concrete action plan.
Confidentiel·Résultats concrets·0 jargon commercial
Three steps, zero impact on your production.
We analyze what's exposed, document each finding, and hand you a prioritized list of corrections. No modification to your environment.
Outside view
We map what's accessible without authentication: pages, subdomains, API routes, configurations and exposed access points. Everything is read-only — no modification or interaction with your infrastructure.
Clear diagnosis
Every finding is explained in business language, backed by technical evidence. The goal is to let you act quickly, not to produce yet another report to archive.
Action plan
We deliver a prioritized list of corrections to integrate directly into your technical roadmap. Post-remediation follow-up is included to validate that exposures have been properly resolved.
What people ask us most.
A pentest goes further: it simulates an attack, needs more access and formal scoping. Our External Review stays focused on what's already exposed — faster to launch, better fit for a small team that wants a first snapshot.
French vendors under 50 people handling sensitive data without a security team. First priority: HR, payroll, recruiting software. Second: healthtech and legaltech.
Because the engagement starts faster, the deliverable is designed for a CTO or executive, and we know the tools modern vendors actually use (Supabase, Firebase, Next.js, Laravel). A first concrete check before deciding whether to go deeper.
No. CleanIssue never downloads, stores or exfiltrates personal data. When an exposure is identified, it is demonstrated minimally and in a controlled manner, solely to establish the technical reality. This is a non-negotiable principle of the engagement.
Yes. The report documents every personal-data exposure in relation to GDPR obligations, notably Articles 32 (security of processing) and 33 (breach notification). A concrete artifact to present during a CNIL check, compliance audit, or client request.
SaaS products and business portals built with Supabase, Firebase, Next.js, Laravel, or custom APIs. Some custom WordPress builds may also be covered. Priority: HR, payroll and recruiting software.
A scanner will tell you your SSL cert is valid. It won't see that your payroll API is exposing every client's payslips. We look for the real access mistakes: who sees what, and whether that's intended.
Tell us about your product. We reply within 24h.
Tell us about your product, your stack and your client context. We'll send you a recommendation on the review level best suited to your situation.