🛡️
Security You Can Verify
We believe trust is earned through transparency, not promises. Explore our certifications, compliance frameworks, security architecture, and continuously monitored controls.
All Systems Operational · Last audited Feb 2026
Certifications & Attestations
Independently Verified
Our security program is validated by independent third-party auditors against the most rigorous industry standards.
SOC 2 Type II
Service Organization Control 2
Independently audited for security, availability, processing integrity, confidentiality, and privacy across all trust service criteria.
ISO 27001
Information Security Management
Certified information security management system covering risk assessment, access controls, incident response, and continuous improvement.
ISO 27701
Privacy Information Management
Extension to ISO 27001 that establishes a Privacy Information Management System (PIMS) for handling personally identifiable information.
SOC 3
General Use Report
Publicly available attestation report summarizing the results of our SOC 2 Type II audit — available for download without NDA.
NAIC Compliance
Insurance Data Security Model Law
Full compliance with the NAIC Insurance Data Security Model Law (MDL-668) adopted across all operating states, including incident response and risk assessment requirements.
CCPA / CPRA
California Consumer Privacy Act
Full compliance with CCPA/CPRA requirements including consumer rights management, data inventory, opt-out mechanisms, and data processing agreements.
GDPR
General Data Protection Regulation
GDPR-ready data processing with lawful basis documentation, DPIAs, cross-border transfer safeguards, and data subject rights automation.
HIPAA
Health Insurance Portability & Accountability
HIPAA-compliant safeguards for any protected health information processed through our workers' compensation and employee benefits lines.
Our Approach
Security, Compliance & Privacy
Trust is built on three pillars. Here's how we deliver on each.
Security
✓ AES-256 encryption at rest, TLS 1.3 in transit
✓ Zero Trust network architecture with microsegmentation
✓ Annual penetration testing by independent third parties
✓ 24/7 SOC monitoring with automated incident response
✓ Immutable audit logs with 12-month retention
✓ Secure SDLC with code scanning and dependency analysis
✓ Web Application Firewall (WAF) and DDoS mitigation
Compliance
✓ Licensed in all 50 states + D.C. across 3 lines of authority
✓ Continuous compliance monitoring via Drata
✓ NAIC MDL-668 compliant across all jurisdictions
✓ Automated evidence collection and control testing
✓ Vendor risk management with sub-processor oversight
✓ Employee security awareness training (quarterly)
✓ Business continuity & disaster recovery plans tested annually
Privacy
✓ Privacy by Design embedded in product development
✓ CCPA/CPRA and GDPR compliant data handling
✓ Automated data subject request fulfillment
✓ Data Processing Agreements with all sub-processors
✓ Data minimization and purpose limitation controls
✓ Role-based access with least-privilege enforcement
✓ Regular privacy impact assessments (DPIAs)
Infrastructure
Built on Trusted Foundations
Our platform runs on enterprise-grade cloud infrastructure with redundancy, encryption, and monitoring at every layer.
Cloud Hosting
AWS with multi-AZ deployment for high availability and fault tolerance
Key Management
AWS KMS with customer-managed keys and automatic rotation
WAF & DDoS
CloudFront + AWS Shield Advanced with custom rule sets
SIEM & Monitoring
Real-time log aggregation, anomaly detection, and automated alerting
Backups
Automated daily backups with cross-region replication and 90-day retention
Vulnerability Scanning
Continuous scanning with SLA-based remediation and patch management
Pen Testing
Annual third-party penetration testing with interim red team exercises
Incident Response
Documented IR plan with <1hr detection SLA and 72hr notification
Continuous Monitoring
Live Control Status
Our security controls are continuously monitored via Drata. These statuses reflect real-time compliance posture.
Endpoint ProtectionPassing
All employee devices run EDR with real-time threat detection, disk encryption, and automated patch management.
Access ControlsPassing
SSO with MFA enforced on all systems. Quarterly access reviews with automated de-provisioning.
Data EncryptionPassing
AES-256 encryption at rest, TLS 1.3 in transit. No unencrypted data stores or transmission channels.
Vulnerability ManagementPassing
Critical vulnerabilities patched within 24h. High within 7 days. Continuous scanning across all environments.
Change ManagementPassing
All production changes require peer review, automated testing, and approval before deployment.
Security TrainingPassing
Quarterly security awareness training with phishing simulations. 100% completion rate maintained.
Backup & RecoveryPassing
Daily encrypted backups with cross-region replication. Recovery testing performed quarterly.
Network SecurityMonitoring
VPC isolation, security groups, NACLs, and IDS/IPS across all network boundaries.
Logging & MonitoringPassing
Centralized immutable logging with 12-month retention. Real-time alerting on anomalous activity.
Resources
Policies & Reports
Access our security documentation. Some reports require NDA — click to request access.
FAQ
Common Questions
Quick answers to the security and compliance questions we hear most often.
Where is my data stored?+
All data is stored in AWS data centers within the United States (us-east-1 and us-west-2 regions) with cross-region replication for disaster recovery. Data is encrypted at rest using AES-256 via AWS KMS with customer-managed keys.
How do you handle data breaches?+
We maintain a documented Incident Response Plan with a <1 hour detection SLA. In the event of a confirmed breach involving personal data, we notify affected parties and relevant regulators within 72 hours in compliance with GDPR, CCPA, and state insurance data security laws.
Can I get a copy of your SOC 2 report?+
Yes. Our SOC 2 Type II report is available under NDA. Please contact our compliance team at security@aideninsurance.com or use the request access link in the Policies & Reports section above. Our SOC 3 report is publicly available for immediate download.
Do you support SSO and MFA?+
Yes. We support SAML 2.0 and OpenID Connect SSO integration. Multi-factor authentication is enforced for all user accounts — both internal and client-facing. We support hardware security keys, authenticator apps, and push-based MFA.
What compliance automation platform do you use?+
We use Drata for continuous compliance monitoring, automated evidence collection, and control testing across SOC 2, ISO 27001, GDPR, HIPAA, and CCPA frameworks. Our Trust Center integrates with Drata to provide real-time visibility into our control status.
How do you vet your sub-processors?+
All sub-processors undergo a security assessment before onboarding that includes SOC 2 report review, security questionnaire, and contractual DPA requirements. We maintain an active sub-processor list and notify clients of any changes with 30 days advance notice.