Submission BridgeSubmission Bridge

Security

How we keep your data safe

No jargon. Here's exactly how Submission Bridge protects your submissions, credentials, and carrier data.

Traffic is screened before it reaches us

Every request passes through Cloudflare first — it blocks bots, rate-limits login attempts, and forces encrypted connections before traffic ever touches our servers.

Users prove who they are with short-lived tokens

When you log in, you get a signed credential that expires quickly and can't be forged. No permanent passwords floating around.

Our services only talk to each other with Google-verified IDs

Internal systems authenticate using Google-issued identity tokens — verified by Google's own infrastructure. No token, no access.

Carrier credentials live in a vault

Your portal logins are stored in Google Secret Manager — a hardware-backed vault that even our own code can only read at runtime, never see in logs or databases.

Every action is logged

Who did what, when, to which carrier. Full audit trail. Nothing happens without a record.

Your data is walled off from every other customer

Tenant isolation at the database level. Your data is yours — no other customer can access it, period.

For Your Compliance Team

Standards & Certifications

The technical details your compliance team is looking for.

SOC 2 Type 2 — In Progress

Aligned

Our controls follow SOC 2 Type 2 requirements. We run on Google Cloud (which is SOC 2 certified) and are actively working toward our own certification.

Encryption Everywhere

Implemented

AES-256 encryption at rest, TLS 1.3 in transit. No unencrypted data storage or transmission.

Access Controls

Implemented

Multi-tenant isolation, role-based access, and least-privilege principles enforced throughout.

Audit Logging

Implemented

Comprehensive logging of all user actions and system events. Retained for compliance and incident response.

Incident Response

Implemented

Documented incident response procedures with automated alerting for security events.

Vendor Security

Implemented

All third-party services (GCP, Firebase, AI providers) are SOC 2 certified or equivalent.

Data Handling

What we store and for how long

Data TypeRetentionEncryptionAccess
Submission Documents90 daysAES-256Tenant users only
Quote Results1 yearAES-256Tenant users only
Carrier CredentialsUntil deletedSecret ManagerAutomation only
Audit Logs3 yearsAES-256Admin users
Account DataAccount lifetimeAES-256User + Admins

Infrastructure

Built on Google Cloud

Google Cloud Platform

Runs on Google's SOC 2 Type 2 certified infrastructure with automatic security patching.

Secret Manager

Carrier credentials protected by hardware security modules.

24/7 Monitoring

Automated monitoring with alerting for security events.

Security Questions?

Happy to answer questions or provide documentation for your compliance review.