Trust Center

Security You Can Verify

We believe trust is earned through transparency, not promises. Explore our certifications, compliance frameworks, security architecture, and continuously monitored controls.

All Systems Operational
Certifications & Attestations

Independently Verified

Our security program is validated by independent third-party auditors against the most rigorous industry standards.

  • SOC 2
    Type II
    Certified

    Independently audited controls for security, availability, and data integrity the gold standard for SaaS security.

    AICPA SOC 2 overview →
  • ISO
    27001
    Certified

    International standard for information security management, covering risk treatment, access controls, and continuous improvement.

    ISO 27001 standard →
  • HIPAA
    Compliant
    Compliant

    Federal safeguards for protected health information, ensuring patient data is handled with strict confidentiality and access controls.

    HHS HIPAA overview →
  • GDPR
    Compliant
    Compliant

    EU data protection regulation compliance lawful data processing, user rights management, and cross-border transfer safeguards.

    GDPR regulation →
  • AI ISO
    42001
    Certified

    Global standard for AI management systems responsible development, bias controls, transparency, and governance of AI-powered features.

    ISO 42001 standard →
Request SOC 2 Type II Report →
Our Approach

Security, Compliance & Privacy

Trust is built on three pillars. Here's how we deliver on each.

Security
AES-256 encryption at rest, TLS 1.3 in transit
Zero Trust network architecture
Annual penetration testing by third parties
24/7 SOC monitoring with automated incident response
Immutable audit logs with 12-month retention
Secure SDLC with code scanning
WAF and DDoS mitigation
Compliance
NAIC MDL-668 compliant
NIST CSF alignment
State insurance regulatory compliance
Automated evidence collection
Vendor risk management
Quarterly security training
BC/DR plans tested annually
Privacy
Privacy by Design in product development
CCPA/CPRA and GDPR compliant handling
Automated data subject request fulfillment
DPAs with all sub-processors
Data minimization controls
Role-based access with least-privilege
Regular privacy impact assessments
Infrastructure

Built on Trusted Foundations

Our platform runs on enterprise-grade cloud infrastructure with redundancy, encryption, and monitoring at every layer.

Cloud Hosting

AWS with multi-AZ deployment for high availability and fault tolerance

Key Management

AWS KMS with customer-managed keys and automatic rotation

WAF & DDoS

CloudFront + AWS Shield Advanced with custom rule sets

SIEM & Monitoring

Real-time log aggregation, anomaly detection, and automated alerting

Backups

Automated daily backups with cross-region replication and 90-day retention

Vulnerability Scanning

Continuous scanning with SLA-based remediation and patch management

Pen Testing

Annual third-party penetration testing with interim red team exercises

Incident Response

Documented IR plan with <1hr detection SLA and 72hr notification

Continuous Monitoring

Live Control Status

Our security controls are continuously monitored using automated tooling. These statuses reflect real-time compliance posture.

Endpoint ProtectionPassing

All employee devices run EDR with real-time threat detection, disk encryption, and automated patch management.

Access ControlsPassing

SSO with MFA enforced on all systems. Quarterly access reviews with automated de-provisioning.

Data EncryptionPassing

AES-256 encryption at rest, TLS 1.3 in transit. No unencrypted data stores or transmission channels.

Vulnerability ManagementPassing

Critical vulnerabilities patched within 24h. High within 7 days. Continuous scanning across all environments.

Change ManagementPassing

All production changes require peer review, automated testing, and approval before deployment.

Security TrainingPassing

Quarterly security awareness training with phishing simulations. 100% completion rate maintained.

Backup & RecoveryPassing

Daily encrypted backups with cross-region replication. Recovery testing performed quarterly.

Network SecurityMonitoring

VPC isolation, security groups, NACLs, and IDS/IPS across all network boundaries.

Logging & MonitoringPassing

Centralized immutable logging with 12-month retention. Real-time alerting on anomalous activity.

FAQ

Common Security Questions

All data is stored in AWS data centers within the United States (us-east-1 and us-west-2) with cross-region replication for disaster recovery. Data is encrypted at rest using AES-256 via AWS KMS.
We maintain a documented Incident Response Plan with a <1 hour detection SLA. In the event of a confirmed breach, we notify affected parties and relevant regulators within 72 hours.
Yes. We support SAML 2.0 and OpenID Connect SSO. Multi-factor authentication is enforced for all accounts both internal and client-facing.
We use automated compliance tooling for continuous control monitoring, automated evidence collection, and control testing across SOC 2, ISO 27001, GDPR, HIPAA, and CCPA frameworks.
All sub-processors undergo a security assessment before onboarding that includes SOC 2 report review, security questionnaire, and contractual DPA requirements.

Have Security Questions?

Our compliance team is ready to walk you through our security program, provide reports, and answer your questionnaire.

Contact Security TeamRequest a Review