Security & Compliance

Infrastructure

• Hosted on AWS (EC2, S3, DocumentDB, CloudFront).
• Network security groups and least-privilege IAM roles.
• Environment separation (prod vs non-prod).

Encryption

• Data in transit: TLS 1.2+.
• Data at rest: AWS-managed encryption (S3, DocumentDB).
• Secrets managed via AWS services.

Application Security

• Input validation, server-side checks, and rate limiting.
• CSRF/XSS/Clickjacking mitigations (headers, sanitization).
• Dependency updates and vulnerability scanning.

Access Controls

• Role-based access (least privilege).
• MFA for admin access.
• Audit logs for sensitive operations.

Controller vs Processor

For Customer claim data, the Customer is the controller/business and iContentsPro is the processor/service provider. For our own site, accounts, and billing, we are the controller.

See: Insurance Privacy Notice

GDPR / UK GDPR

• Processing on documented instructions (DPA available).
• Support for data subject rights via Customer.
• International transfers safeguarded by Standard Contractual Clauses where required.

CCPA / CPRA

• No “sale” No “sharing” for cross-context behavioral advertising.
• Service provider/contractor commitments in our DPA.
• Global Privacy Control (GPC) respected where applicable.

Insurance Privacy

• Controls aligned to GLBA Safeguards Rule expectations.
• Practices informed by NAIC Insurance Data Security Model Law and relevant state rules (e.g., NY DFS 23 NYCRR 500).
• Retention and deletion per Customer instruction (typ. 90-day post-termination window).

Monitoring & Logging

• Centralized logs for infra and app events.
• Basic anomaly and error monitoring with alerting.

Vulnerability & Patch Management

• Routine dependency scanning and updates.
• SLAs to address high/critical issues.

Business Continuity

• Regular backups with integrity checks.
• Restore testing within runbooks.

Incident Response

• Documented incident response process.
• Breach notifications to Customers without undue delay.