Security & Compliance
Enterprise-grade controls for insurers, reinsurers, and brokers. Data is encrypted in transit and at rest, access is least-privilege, and every action is auditable.
Encryption
- TLS 1.2+ in transit
- AES-256 at rest
- KMS-backed key rotation
Identity & Access
- RBAC & least-privilege IAM
- SSO (SAML/OIDC)
- MFA enforced for admins
Data Protection
- Customer data isolation
- Field-level redaction
- Configurable retention & deletion SLAs
Logging & Audit
- Immutable audit logs
- SIEM forwarding
- Admin action reviews
Network & Runtime
- Private VPC & WAF
- Secrets manager (no secrets in code)
- Container image signing
BC/DR
- Encrypted backups
- RPO: 24h • RTO: 4h*
- Quarterly restore tests
*Configurable by contract
Certifications & Regulatory Alignment
Information Security
- SOC 2 Type II — In progress
- ISO/IEC 27001 — Aligned / Roadmap
- Pen tests — annual by third-party
Privacy & Data
- GDPR/UK GDPR — DPA & SCCs available
- CCPA/CPRA — data subject rights supported
- Data residency — EU/US regions on request
Model & Prompt Security
- Retrieval-augmented generation (RAG) with strict source scoping
- Prompt-injection & data exfiltration filters
- Grounded answers with clause citations
- Policy guardrails (PII masking, toxicity/off-policy filters)
Governance
- Change-controlled model/version registry
- Human-in-the-loop approvals for pricing/wordings outputs
- Audit trail of prompts, retrievals, and decisions
Secure Development
- Peer review & protected branches
- SAST/DAST & dependency scanning
- SBOM & supply-chain controls
Vulnerability Mgmt
- CVSS-based triage & SLAs
- Monthly patch cycles
- Emergency patch path
Third-party & Data
- Sub-processor due diligence
- DPAs & SCCs available
- Annual vendor reviews
Incident Response & Security Reviews
24×7 monitoring with SLA-based triage & customer notification. Request our security pack (policies, DPA, sub-processors).