Trust Center

Security You Can Verify

We believe trust is earned through transparency, not promises. Explore our certifications, compliance frameworks, security architecture, and continuously monitored controls.

All Systems Operational
Certifications & Attestations

Independently Verified

Our security program is validated by independent third-party auditors against the most rigorous industry standards.
SOC 2
Type II
Certified
Independently audited controls for security, availability, and data integrity — the gold standard for SaaS security.
AICPA SOC 2 overview →
ISO
27001
Certified
International standard for information security management, covering risk treatment, access controls, and continuous improvement.
ISO 27001 standard →
HIPAA
Compliant
Compliant
Federal safeguards for protected health information, ensuring patient data is handled with strict confidentiality and access controls.
HHS HIPAA overview →
GDPR
Compliant
Compliant
EU data protection regulation compliance — lawful data processing, user rights management, and cross-border transfer safeguards.
GDPR regulation →
AI ISO
42001
Certified
Global standard for AI management systems — responsible development, bias controls, transparency, and governance of AI-powered features.
ISO 42001 standard →
Request SOC 2 Type II Report →
Our Approach

Security, Compliance & Privacy

Trust is built on three pillars. Here's how we deliver on each.
Security
AES-256 encryption at rest, TLS 1.3 in transit
Zero Trust network architecture
Annual penetration testing by third parties
24/7 SOC monitoring with automated incident response
Immutable audit logs with 12-month retention
Secure SDLC with code scanning
WAF and DDoS mitigation
Compliance
NAIC MDL-668 compliant
NIST CSF alignment
State insurance regulatory compliance
Automated evidence collection
Vendor risk management
Quarterly security training
BC/DR plans tested annually
Privacy
Privacy by Design in product development
CCPA/CPRA and GDPR compliant handling
Automated data subject request fulfillment
DPAs with all sub-processors
Data minimization controls
Role-based access with least-privilege
Regular privacy impact assessments
Infrastructure

Built on Trusted Foundations

Our platform runs on enterprise-grade cloud infrastructure with redundancy, encryption, and monitoring at every layer.
Cloud Hosting
AWS with multi-AZ deployment for high availability and fault tolerance
Key Management
AWS KMS with customer-managed keys and automatic rotation
WAF & DDoS
CloudFront + AWS Shield Advanced with custom rule sets
SIEM & Monitoring
Real-time log aggregation, anomaly detection, and automated alerting
Backups
Automated daily backups with cross-region replication and 90-day retention
Vulnerability Scanning
Continuous scanning with SLA-based remediation and patch management
Pen Testing
Annual third-party penetration testing with interim red team exercises
Incident Response
Documented IR plan with <1hr detection SLA and 72hr notification
Continuous Monitoring

Live Control Status

Our security controls are continuously monitored using automated tooling. These statuses reflect real-time compliance posture.
Endpoint ProtectionPassing
All employee devices run EDR with real-time threat detection, disk encryption, and automated patch management.
Access ControlsPassing
SSO with MFA enforced on all systems. Quarterly access reviews with automated de-provisioning.
Data EncryptionPassing
AES-256 encryption at rest, TLS 1.3 in transit. No unencrypted data stores or transmission channels.
Vulnerability ManagementPassing
Critical vulnerabilities patched within 24h. High within 7 days. Continuous scanning across all environments.
Change ManagementPassing
All production changes require peer review, automated testing, and approval before deployment.
Security TrainingPassing
Quarterly security awareness training with phishing simulations. 100% completion rate maintained.
Backup & RecoveryPassing
Daily encrypted backups with cross-region replication. Recovery testing performed quarterly.
Network SecurityMonitoring
VPC isolation, security groups, NACLs, and IDS/IPS across all network boundaries.
Logging & MonitoringPassing
Centralized immutable logging with 12-month retention. Real-time alerting on anomalous activity.
FAQ

Common Questions

Where is my data stored?
All data is stored in AWS data centers within the United States (us-east-1 and us-west-2) with cross-region replication for disaster recovery. Data is encrypted at rest using AES-256 via AWS KMS.
How do you handle data breaches?
We maintain a documented Incident Response Plan with a <1 hour detection SLA. In the event of a confirmed breach, we notify affected parties and relevant regulators within 72 hours.
Do you support SSO and MFA?
Yes. We support SAML 2.0 and OpenID Connect SSO. Multi-factor authentication is enforced for all accounts — both internal and client-facing.
How do you monitor compliance continuously?
We use automated compliance tooling for continuous control monitoring, automated evidence collection, and control testing across SOC 2, ISO 27001, GDPR, HIPAA, and CCPA frameworks.
How do you vet your sub-processors?
All sub-processors undergo a security assessment before onboarding that includes SOC 2 report review, security questionnaire, and contractual DPA requirements.

Have Security Questions?

Our compliance team is ready to walk you through our security program, provide reports, and answer your questionnaire.

Contact Security TeamRequest a Review