A production SaaS platform for digital claims in 6 weeks

Claimity faced a challenge typical of young platform businesses: market demand was clear and the business processes were defined — but there was no production-ready platform that could go live quickly while still scaling for the long term.

Claims handling had run on scattered channels — emails, documents, manual coordination, different systems. For a growing marketplace of insurers, experts and claims adjusters, that quickly creates broken handoffs, unclear responsibilities and high coordination effort. Technically, the platform had to keep multiple parties cleanly separated — insurers file and track cases, experts work the cases assigned to them, administrators steer processes and users — and bundle documents and communication per case.

On top of that, a simple web app without a security concept isn't enough for insurance processes. Secure registration, authentication, two-factor authentication and backup codes had to be in place by go-live — the precondition for Claimity to appear trustworthy to insurers and professional partners.

smiit built a multi-tenant SaaS platform on Microsoft Azure — deliberately as a single multi-tenant architecture rather than a set of separate customer instances. That lets Claimity onboard new insurance partners, experts and adjusters quickly, without standing up dedicated infrastructure per customer. The result: less operational overhead, faster onboarding and a foundation that grows with the business.

Hosting runs on an Azure App Service — deliberately pragmatic rather than a complex Kubernetes setup: stable, low-maintenance operation with efficient deployment, scaling and monitoring. The database is Azure Database for PostgreSQL, a robust relational base for claims processes, tenants, roles, document references and billing data — while Azure handles backups, availability and patching.

Application, database and cloud components sit in a secured Azure environment with a virtual network. External access is routed in a controlled way through Azure Front Door, and sensitive configuration and secrets are kept out of the code in Azure Key Vault.

For user management, smiit relied on Keycloak as the central identity and access management component — deliberately not a self-built login, because authentication, password security, multi-factor authentication and role-based access are security-critical. Keycloak handles registration, login, roles, user groups and MFA, keeping insurers, experts and administrators cleanly separated.

Core security functions — 2FA, secure authentication, backup codes — were integrated from go-live. In insurance, that's not a technical detail but a business factor: a platform handling sensitive claims data has to build trust before it scales. Security is also designed along the processes — documents, comments and an integrated, encrypted chat keep sensitive communication out of external channels like email.

At go-live the platform supported two core processes — vehicle damage and expert assessment — built not as rigid features but as extensible process logic.

That mattered because Claimity wasn't only digitizing a single use case: after go-live, fraud investigation and specialist assessments for rail and bus were added, among others. New service areas can be added without rethinking the platform each time — lowering development effort and making the business model more resilient.

After go-live, the platform was extended with REST API interfaces — both from the app to external systems and the other way around. They allow external data to be imported or platform data to be served to downstream processes; where standard processes were missing, the interface logic was built individually. That lets the platform plug into partners' existing ERP, CRM or domain systems rather than relying on manual input.

Billing was integrated close to the process as well: invoices are still issued manually, but can be prepared, imported, edited and generated as a PDF directly from the app.

The central tension was between a fast go-live in six weeks and an architecture that wouldn't need rebuilding after market entry. smiit resolved it with a deliberately lean but robust cloud setup — lean enough for a quick start, solid enough for later extensions such as additional processes, API integrations, in-tenant role models and billing-related functions. The result was not a throwaway prototype but a production SaaS MVP on a scalable foundation.

Our first assumption was that more security is automatically better — so we planned to enforce the strongest available MFA methods, including passkeys (WebAuthn). In practice, that would have locked out legitimate users. In insurance, many partners work on managed or restricted devices, shared workstations and under strict browser and organizational policies that don't allow passkeys, or only unreliably.

Enforcing a passkey login would therefore have undermined the very goal of the security concept — trust and accessibility at go-live. So we deliberately re-scoped the MFA strategy: MFA is enforced via OTP (time-based one-time codes from an authenticator app), complemented by recovery codes for lockout situations. Passkeys were disabled for now — not discarded, but kept ready for a later optional rollout as a more convenient alternative, once the device and user landscape is clearer.

Within six weeks, Claimity went live with a production SaaS MVP — launching with two claims processes and all the security-critical fundamentals: multi-tenant architecture, role-based access, MFA and a secured Azure infrastructure.

Since then the platform has been expanded continuously — with more process types, API interfaces, in-tenant structures and billing functions. More than 1,000 cases have already been handled, together with insurers, claims adjusters and specialized experts. A platform idea became a production-ready, scalable SaaS business model.