Aiden — Trust Center

Certifications & Attestations

Independently Verified

Our security program is validated by independent third-party auditors against the most rigorous industry standards.

🔒

SOC 2 Type II

Service Organization Control 2

Independently audited for security, availability, processing integrity, confidentiality, and privacy across all trust service criteria.

Certified

Audit period: Jan – Dec 2025

🌐

ISO 27001

Information Security Management

Certified information security management system covering risk assessment, access controls, incident response, and continuous improvement.

Certified

Valid through Dec 2027

📋

ISO 27701

Privacy Information Management

Extension to ISO 27001 that establishes a Privacy Information Management System (PIMS) for handling personally identifiable information.

Certified

Valid through Dec 2027

⚡

SOC 3

General Use Report

Publicly available attestation report summarizing the results of our SOC 2 Type II audit — available for download without NDA.

Certified

Issued Feb 2026

🇺🇸

NAIC Compliance

Insurance Data Security Model Law

Full compliance with the NAIC Insurance Data Security Model Law (MDL-668) adopted across all operating states.

Compliant

All 51 jurisdictions

🔐

CCPA / CPRA

California Consumer Privacy Act

Full compliance with CCPA/CPRA requirements including consumer rights management, data inventory, opt-out mechanisms, and data processing agreements.

Compliant

Continuously monitored

🌍

GDPR

General Data Protection Regulation

GDPR-ready data processing with lawful basis documentation, DPIAs, cross-border transfer safeguards, and data subject rights automation.

Compliant

Continuously monitored

🏥

HIPAA

Health Insurance Portability & Accountability

HIPAA-compliant safeguards for any protected health information processed through our workers' compensation and employee benefits lines.

Compliant

BAA available on request

Our Approach

Security, Compliance & Privacy

Trust is built on three pillars. Here's how we deliver on each.

🔒

Security

✓ AES-256 encryption at rest, TLS 1.3 in transit

✓ Zero Trust network architecture with microsegmentation

✓ Annual penetration testing by independent third parties

✓ 24/7 SOC monitoring with automated incident response

✓ Immutable audit logs with 12-month retention

✓ Secure SDLC with code scanning and dependency analysis

✓ Web Application Firewall (WAF) and DDoS mitigation

📋

Compliance

✓ Licensed in all 50 states + D.C. across 3 lines of authority

✓ Continuous compliance monitoring via Drata

✓ NAIC MDL-668 compliant across all jurisdictions

✓ Automated evidence collection and control testing

✓ Vendor risk management with sub-processor oversight

✓ Employee security awareness training (quarterly)

✓ Business continuity & disaster recovery plans tested annually

🔐

Privacy

✓ Privacy by Design embedded in product development

✓ CCPA/CPRA and GDPR compliant data handling

✓ Automated data subject request fulfillment

✓ Data Processing Agreements with all sub-processors

✓ Data minimization and purpose limitation controls

✓ Role-based access with least-privilege enforcement

✓ Regular privacy impact assessments (DPIAs)

Infrastructure

Built on Trusted Foundations

Our platform runs on enterprise-grade cloud infrastructure with redundancy, encryption, and monitoring at every layer.

☁️

Cloud Hosting

AWS with multi-AZ deployment for high availability and fault tolerance

🔑

Key Management

AWS KMS with customer-managed keys and automatic rotation

🛡️

WAF & DDoS

CloudFront + AWS Shield Advanced with custom rule sets

📊

SIEM & Monitoring

Real-time log aggregation, anomaly detection, and automated alerting

🔄

Backups

Automated daily backups with cross-region replication and 90-day retention

🔍

Vulnerability Scanning

Continuous scanning with SLA-based remediation and patch management

🧪

Pen Testing

Annual third-party penetration testing with interim red team exercises

🚨

Incident Response

Documented IR plan with <1hr detection SLA and 72hr notification

Continuous Monitoring

Live Control Status

Our security controls are continuously monitored via Drata. These statuses reflect real-time compliance posture.

Endpoint ProtectionPassing

All employee devices run EDR with real-time threat detection, disk encryption, and automated patch management.

Access ControlsPassing

SSO with MFA enforced on all systems. Quarterly access reviews with automated de-provisioning.

Data EncryptionPassing

AES-256 encryption at rest, TLS 1.3 in transit. No unencrypted data stores or transmission channels.

Vulnerability ManagementPassing

Critical vulnerabilities patched within 24h. High within 7 days. Continuous scanning across all environments.

Change ManagementPassing

All production changes require peer review, automated testing, and approval before deployment.

Security TrainingPassing

Quarterly security awareness training with phishing simulations. 100% completion rate maintained.

Backup & RecoveryPassing

Daily encrypted backups with cross-region replication. Recovery testing performed quarterly.

Network SecurityMonitoring

VPC isolation, security groups, NACLs, and IDS/IPS across all network boundaries.

Logging & MonitoringPassing

Centralized immutable logging with 12-month retention. Real-time alerting on anomalous activity.

Resources

Policies & Reports

Access our security documentation. Some reports require NDA — click to request access.

📄

Public · Updated Feb 2026

→

📄

Public · Updated Feb 2026

→

📑

Data Processing Agreement

Public · Updated Feb 2026

→

🔒

SOC 2 Type II Report

NDA Required · Request Access

→

🔒

Penetration Test Summary

NDA Required · Request Access

→

📋

ISO 27001 Certificate

Public · View Certificate

Public · Updated Feb 2026

→

FAQ

Common Questions

Quick answers to the security and compliance questions we hear most often.

Where is my data stored?+

All data is stored in AWS data centers within the United States (us-east-1 and us-west-2 regions) with cross-region replication for disaster recovery. Data is encrypted at rest using AES-256 via AWS KMS with customer-managed keys.

How do you handle data breaches?+

We maintain a documented Incident Response Plan with a <1 hour detection SLA. In the event of a confirmed breach involving personal data, we notify affected parties and relevant regulators within 72 hours in compliance with GDPR, CCPA, and state insurance data security laws.

Can I get a copy of your SOC 2 report?+

Yes. Our SOC 2 Type II report is available under NDA. Please contact our compliance team at security@aideninsurance.com or use the request access link in the Policies & Reports section above. Our SOC 3 report is publicly available for immediate download.

Do you support SSO and MFA?+

Yes. We support SAML 2.0 and OpenID Connect SSO integration. Multi-factor authentication is enforced for all user accounts — both internal and client-facing. We support hardware security keys, authenticator apps, and push-based MFA.

What compliance automation platform do you use?+

We use Drata for continuous compliance monitoring, automated evidence collection, and control testing across SOC 2, ISO 27001, GDPR, HIPAA, and CCPA frameworks. Our Trust Center integrates with Drata to provide real-time visibility into our control status.

How do you vet your sub-processors?+

All sub-processors undergo a security assessment before onboarding that includes SOC 2 report review, security questionnaire, and contractual DPA requirements. We maintain an active sub-processor list and notify clients of any changes with 30 days advance notice.

Security You Can Verify

Have Security Questions?