Trust Center

Security You Can Verify

We believe trust is earned through transparency, not promises. Explore our certifications, compliance frameworks, security architecture, and continuously monitored controls.

All Systems Operational · Last audited Feb 2026
Certifications & Attestations
Independently Verified
Our security program is validated by independent third-party auditors against the most rigorous industry standards.
SOC 2 Type II
Service Organization Control 2
Independently audited for security, availability, processing integrity, confidentiality, and privacy.
Certified
Audit period: Jan – Dec 2025
ISO 27001
Information Security Management
Certified information security management system covering risk assessment, access controls, and incident response.
Certified
Valid through Dec 2027
ISO 27701
Privacy Information Management
Extension to ISO 27001 establishing a Privacy Information Management System (PIMS).
Certified
Valid through Dec 2027
SOC 3
General Use Report
Publicly available attestation report summarizing our SOC 2 Type II audit results.
Certified
Issued Feb 2026
NAIC Compliance
Insurance Data Security Model Law
Full compliance with NAIC MDL-668 across all operating states.
Compliant
All 51 jurisdictions
CCPA / CPRA
California Consumer Privacy Act
Full compliance with CCPA/CPRA including consumer rights management and data inventory.
Compliant
Continuously monitored
GDPR
General Data Protection Regulation
GDPR-ready data processing with lawful basis documentation and cross-border safeguards.
Compliant
Continuously monitored
HIPAA
Health Insurance Portability & Accountability
HIPAA-compliant safeguards for protected health information in workers' comp lines.
Compliant
BAA available on request
Our Approach
Security, Compliance & Privacy
Trust is built on three pillars. Here's how we deliver on each.
Security
AES-256 encryption at rest, TLS 1.3 in transit
Zero Trust network architecture
Annual penetration testing by third parties
24/7 SOC monitoring with automated incident response
Immutable audit logs with 12-month retention
Secure SDLC with code scanning
WAF and DDoS mitigation
Compliance
Licensed in all 50 states + D.C.
Continuous compliance monitoring via Drata
NAIC MDL-668 compliant
Automated evidence collection
Vendor risk management
Quarterly security training
BC/DR plans tested annually
Privacy
Privacy by Design in product development
CCPA/CPRA and GDPR compliant handling
Automated data subject request fulfillment
DPAs with all sub-processors
Data minimization controls
Role-based access with least-privilege
Regular privacy impact assessments
Infrastructure
Built on Trusted Foundations
Our platform runs on enterprise-grade cloud infrastructure with redundancy, encryption, and monitoring at every layer.
Cloud Hosting
AWS with multi-AZ deployment for high availability and fault tolerance
Key Management
AWS KMS with customer-managed keys and automatic rotation
WAF & DDoS
CloudFront + AWS Shield Advanced with custom rule sets
SIEM & Monitoring
Real-time log aggregation, anomaly detection, and automated alerting
Backups
Automated daily backups with cross-region replication and 90-day retention
Vulnerability Scanning
Continuous scanning with SLA-based remediation and patch management
Pen Testing
Annual third-party penetration testing with interim red team exercises
Incident Response
Documented IR plan with <1hr detection SLA and 72hr notification
Continuous Monitoring
Live Control Status
Our security controls are continuously monitored via Drata. These statuses reflect real-time compliance posture.
Endpoint ProtectionPassing
All employee devices run EDR with real-time threat detection, disk encryption, and automated patch management.
Access ControlsPassing
SSO with MFA enforced on all systems. Quarterly access reviews with automated de-provisioning.
Data EncryptionPassing
AES-256 encryption at rest, TLS 1.3 in transit. No unencrypted data stores or transmission channels.
Vulnerability ManagementPassing
Critical vulnerabilities patched within 24h. High within 7 days. Continuous scanning across all environments.
Change ManagementPassing
All production changes require peer review, automated testing, and approval before deployment.
Security TrainingPassing
Quarterly security awareness training with phishing simulations. 100% completion rate maintained.
Backup & RecoveryPassing
Daily encrypted backups with cross-region replication. Recovery testing performed quarterly.
Network SecurityMonitoring
VPC isolation, security groups, NACLs, and IDS/IPS across all network boundaries.
Logging & MonitoringPassing
Centralized immutable logging with 12-month retention. Real-time alerting on anomalous activity.
FAQ
Common Questions
Where is my data stored?
All data is stored in AWS data centers within the United States (us-east-1 and us-west-2) with cross-region replication for disaster recovery. Data is encrypted at rest using AES-256 via AWS KMS.
How do you handle data breaches?
We maintain a documented Incident Response Plan with a <1 hour detection SLA. In the event of a confirmed breach, we notify affected parties and relevant regulators within 72 hours.
Can I get a copy of your SOC 2 report?
Yes. Our SOC 2 Type II report is available under NDA. Contact [email protected] or use the request access link. Our SOC 3 report is publicly available.
Do you support SSO and MFA?
Yes. We support SAML 2.0 and OpenID Connect SSO. Multi-factor authentication is enforced for all accounts — both internal and client-facing.
What compliance automation platform do you use?
We use Drata for continuous compliance monitoring, automated evidence collection, and control testing across SOC 2, ISO 27001, GDPR, HIPAA, and CCPA frameworks.
How do you vet your sub-processors?
All sub-processors undergo a security assessment before onboarding that includes SOC 2 report review, security questionnaire, and contractual DPA requirements.

Have Security Questions?

Our compliance team is ready to walk you through our security program, provide reports, and answer your questionnaire.

Contact Security TeamRequest a Review