Data Handling

How BindPilot stores and protects your insurance data

Data Handling

BindPilot handles sensitive insurance data (PII, financial records, claims). Here's how we protect it.

Data Classification

BindPilot stores three types of data:

Tier 1: Highly Sensitive (PII + Financial)

Requires highest protection:

  • SSN (Social Security Number)
  • DOB (Date of Birth)
  • Driver License Number
  • Bank Account Info (if underwriting uses it)
  • Medical Info (for life/health underwriting)

Protection: AES-256 encryption at rest, TLS 1.3 in transit, access logs

Tier 2: Sensitive (Insurance Data)

Standard protection:

  • Policy Numbers
  • Coverage Limits & Deductibles
  • Premium Amounts
  • Claims History
  • Carrier Appointments & Commission Splits

Protection: Encrypted at rest, TLS in transit, access controls

Tier 3: Standard (Non-Sensitive)

Basic protection:

  • Client Names & Addresses
  • Phone Numbers & Emails
  • Quote Timestamps
  • Proposal Templates

Protection: TLS in transit, database encryption, access controls

Geographic Data Storage

BindPilot stores all data in US-based data centers:

  • Primary Region: us-east-1 (Virginia, AWS)
  • Backup Region: us-west-2 (Oregon, AWS)
  • No international transfer: Your data never leaves the US

This complies with:

  • State insurance department requirements (data domicile)
  • CCPA (California Consumer Privacy Act)
  • Client expectations (especially government agencies)

Data Retention

Active Customers

Your data is retained as long as you have an active account.

If you cancel:

  • Days 1–90: Data archived (read-only, no new operations)
  • Day 91+: Data permanently deleted

You can request early deletion anytime.

Historical Records

Certain records are kept longer for legal/tax purposes:

| Record Type | Retention | Reason | |-------------|-----------|--------| | Quotes & Proposals | 7 years | Tax audit, E&O defense | | Commissions & Invoices | 7 years | Tax records, W-2 backup | | Audit Logs | 2 years | Security investigation | | Deleted Clients | 1 year | Recover accidental deletion |

After retention period, records are securely shredded.

Data Sharing & Processing

What We Share

BindPilot shares data only to provide the service:

| Data | Shared To | Purpose | |------|-----------|---------| | Risk Details | Carrier Rating APIs | Generate quotes | | Client Name & Address | NIPR (producer verification) | Verify licenses | | Client Email | Email Service Provider | Send proposals/renewals | | Aggregated Metrics | Analytics (Plausible, non-PII) | Track platform health |

What We Don't Share

BindPilot does not:

  • Sell customer data
  • Share with ad networks
  • Use data for AI training (your data)
  • Share with law enforcement (unless subpoenaed)

Subpoena & Legal Requests

If served with a legal demand for customer data:

  1. We notify you immediately (unless legally prohibited)
  2. We provide only what's legally required
  3. We follow law enforcement proper procedures
  4. We keep records of all requests

Compliance Standards

BindPilot aligns with:

NAIC Model Language (Insurance Industry)

  • Producer license verification via NIPR
  • E&O insurance requirements
  • State producer appointment tracking

CCPA (California Privacy Law)

  • Right to know: Customers can request their data
  • Right to delete: Customers can request deletion
  • Right to opt-out: No sale of data (we don't do this anyway)

GLBA (Gramm-Leach-Bliley Act)

  • Applies to financial institutions and insurance agents
  • Requires safeguards for customer info
  • BindPilot is on track for GLBA certification Q4 2026

Vendor Security

BindPilot uses trusted vendors:

| Vendor | Purpose | Compliance | |--------|---------|-----------| | AWS | Cloud hosting | SOC 2, ISO 27001, FedRAMP | | Stripe | Payment processing | PCI-DSS Level 1 | | SendGrid | Email delivery | SOC 2 Type 2 | | Plausible | Analytics | GDPR, CCPA compliant |

All vendors sign Data Processing Agreements (DPA) committing to your data security.

Your Responsibilities

BindPilot secures the platform, but security is shared:

| BindPilot Owns | You Own | |---|---| | Infrastructure security | Password strength | | Database encryption | Sharing credentials | | Access controls | Device security | | Incident response | Reporting suspicious activity |

Best practices on your end:

  • Use strong passwords (12+ chars, mixed case/numbers)
  • Don't share your password with team members
  • Use unique passwords for BindPilot (not same as other sites)
  • Report suspicious activity immediately

Data Breach Response

In the unlikely event of a breach:

  1. Detection: Our monitoring alerts us within minutes
  2. Containment: We isolate affected systems within 30 minutes
  3. Investigation: Root cause analysis begins immediately
  4. Notification: Customers notified within 24 hours
  5. Remediation: Fix deployed and verified
  6. Documentation: Full breach report available within 5 days

What you'll receive:

  • Notification email with details
  • Recommended actions (password reset, monitoring)
  • Availability of complimentary credit monitoring (if PII exposed)

Next: PII & Encryption and Backup & Recovery.

Last updated: Recently