Security

Enterprise-grade security infrastructure built for the reinsurance industry

Security-First Architecture

Reinsured.AI employs a defense-in-depth security strategy with multiple layers of protection designed specifically for handling sensitive reinsurance data. Our security infrastructure meets the rigorous requirements of Lloyd's market participants, global reinsurers, and regulatory authorities.

Data Encryption

Encryption at Rest

  • AES-256 encryption for all stored data
  • Separate encryption keys per customer (data isolation)
  • Hardware Security Modules (HSMs) for key management
  • Automated key rotation policies
  • Encrypted database backups with separate key storage

Encryption in Transit

  • TLS 1.3 for all data transmission
  • Perfect Forward Secrecy (PFS) enabled
  • Strong cipher suites only (no weak algorithms)
  • Certificate pinning for API communications
  • Encrypted file uploads and downloads

End-to-End Encryption

  • Optional E2EE for highly sensitive documents
  • Client-side encryption before upload
  • Zero-knowledge architecture options for maximum privacy

Access Control & Authentication

Multi-Factor Authentication (MFA)

  • Required for all user accounts
  • Support for TOTP, SMS, and hardware tokens (YubiKey, etc.)
  • Biometric authentication options
  • Adaptive authentication based on risk signals

Role-Based Access Control (RBAC)

  • Granular permission system by role and function
  • Principle of least privilege enforcement
  • Segregation of duties for critical operations
  • Just-in-time (JIT) access for elevated privileges

Single Sign-On (SSO)

  • SAML 2.0 and OAuth 2.0 / OpenID Connect support
  • Integration with enterprise identity providers (Okta, Azure AD, etc.)
  • Automated user provisioning and deprovisioning (SCIM)

Session Management

  • Automatic session timeout after inactivity
  • Concurrent session limits
  • IP whitelisting options for restricted access
  • Device trust and management

Infrastructure Security

Cloud Infrastructure

  • Tier IV data centers with physical security controls
  • Multi-region deployment for redundancy
  • Private cloud options for maximum isolation
  • Network segmentation and micro-segmentation
  • DDoS protection and mitigation

Network Security

  • Web Application Firewall (WAF) with custom rules
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Virtual Private Cloud (VPC) isolation
  • Private endpoints for database and service connections
  • Zero-trust network architecture

Container & Application Security

  • Immutable infrastructure and containers
  • Runtime application self-protection (RASP)
  • Container image scanning for vulnerabilities
  • Secrets management with HashiCorp Vault

Security Monitoring & Response

24/7 Security Operations Center (SOC)

  • Real-time threat monitoring and analysis
  • Security Information and Event Management (SIEM)
  • Automated threat detection with machine learning
  • Incident response team on standby

Logging & Audit Trails

  • Comprehensive logging of all system activities
  • Immutable audit logs with cryptographic verification
  • User action tracking and accountability
  • 7-year log retention for compliance
  • Exportable logs for customer security analysis

Vulnerability Management

  • Continuous vulnerability scanning
  • Automated patch management with testing
  • Quarterly penetration testing by third parties
  • Bug bounty program for responsible disclosure
  • Security patch SLA: Critical within 24 hours

Application Security

Secure Development Lifecycle (SDL)

  • Security requirements in design phase
  • Static Application Security Testing (SAST) in CI/CD
  • Dynamic Application Security Testing (DAST)
  • Software Composition Analysis (SCA) for dependencies
  • Mandatory code reviews with security focus

API Security

  • OAuth 2.0 token-based authentication
  • Rate limiting and throttling
  • API key rotation policies
  • Input validation and output encoding
  • OWASP API Security Top 10 compliance

Data Protection & Privacy

  • Data residency options (EU, US, APAC)
  • Customer data isolation (no cross-tenant access)
  • Secure data deletion with verification
  • Data Loss Prevention (DLP) controls
  • Privacy by design principles
  • Regular privacy impact assessments

Business Continuity & Disaster Recovery

  • 99.9% uptime SLA with redundant systems
  • Automated backups every 4 hours
  • Multi-region replication for disaster recovery
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 15 minutes
  • Annual disaster recovery drills

Security Certifications & Compliance

SOC 2 Type II

Annual audit covering security, availability, and confidentiality

ISO 27001

Certified Information Security Management System

GDPR Compliant

Full compliance with EU data protection regulations

Penetration Tested

Quarterly third-party security assessments

Employee Security

  • Background checks for all employees
  • Regular security awareness training
  • Strict confidentiality agreements
  • Zero standing access policies for production
  • Separation of duties enforcement

Incident Response

Our incident response protocol includes:

  • Immediate containment and investigation
  • Customer notification within 24 hours of confirmed breach
  • Forensic analysis and root cause determination
  • Remediation and security improvements
  • Regulatory reporting as required
  • Post-mortem and lessons learned documentation

Security Resources

Available for enterprise customers:

  • SOC 2 reports and security documentation
  • Penetration test summaries
  • Security questionnaire responses
  • Architecture diagrams and data flow documentation

Report a Security Issue

If you discover a security vulnerability, please report it to hello@support.reinsured.ai. We take all reports seriously and will respond within 24 hours.