SOC 2 Compliance

BindPilot is committed to security and regulatory compliance.

Current Status

SOC 2 Type 1 Audit: Planned for Q3 2026

What this means:

• SOC 2 Type 1 certifies our security controls are in place and effective as of a point in time
• We'll undergo independent audit by a Big 4 firm
• Certificate will be available for Agency customers upon request
• This is the first step; SOC 2 Type 2 (12-month audit) will follow in 2027

Why SOC 2 Matters

SOC 2 is the gold standard for SaaS security in the insurance industry. It covers:

• Access Controls — Only authorized personnel access customer data
• Data Encryption — Data encrypted at rest and in transit
• Audit Trails — Complete logging of who accessed what data
• Incident Response — Documented procedures if breach occurs
• Change Management — Controls on code/system changes
• Availability — Uptime guarantees (99.5%+)

Insurance agents and brokers ask for SOC 2 compliance before signing enterprise contracts. We're on track.

Current Security Practices (Pre-SOC 2)

Even before formal certification, BindPilot implements:

Encryption

• In Transit: All data encrypted via TLS 1.3 (HTTPS)
• At Rest: Data stored in encrypted databases (AES-256)
• Key Management: Encryption keys rotated quarterly

Access Controls

• Role-Based Access: Each user has specific permissions (producer, CSR, admin)
• API Keys: Secured and rotated regularly
• Session Timeout: 1 hour of inactivity = automatic logout
• Multi-Factor Authentication: Coming in Q2 2026

Audit Logging

• All Actions Logged: Every quote, proposal, client edit logged with timestamp and user
• Retention: Logs kept for 2+ years
• No Data Deletion: Soft-deletes only (data recoverable)

Backup & Recovery

• Backup Frequency: Daily automated backups
• Redundancy: Multiple geographic locations
• Recovery Time Objective (RTO): < 4 hours to restore if needed
• Recovery Point Objective (RPO): < 1 hour (max 1 hour of data loss)

Incident Response

• Security Monitoring: 24/7 monitoring for anomalies
• Response Plan: Documented procedures if breach occurs
• Notification: Affected customers notified within 24 hours (per state law)
• Remediation: Root cause analysis and fix deployed

Data Privacy

BindPilot is CCPA compliant (California Consumer Privacy Act) and meets NAIC standards (insurance industry).

Your Data, Your Control

• No selling data — We never sell customer data to third parties
• No sharing — Data not shared except to process your requests (e.g., carrier APIs)
• Right to export — You can download all your data as CSV anytime
• Right to delete — You can request permanent data deletion (we comply within 30 days)

Compliance Roadmap

| Timeline | Certification | Purpose | |----------|---------------|---------| | Q3 2026 | SOC 2 Type 1 | Security controls in place | | Q4 2026 | GLBA Compliance | Gramm-Leach-Bliley (financial privacy) | | 2027 | SOC 2 Type 2 | 12-month security audit | | 2028 | ISO 27001 | International security standard |

Requesting Security Documentation

Agency Customers:

If your IT department needs:

• SOC 2 report (when available)
• Security questionnaire responses
• Risk assessment documentation
• Data processing agreement

Email security@bindpilot.ai and we'll provide.

Starter/Professional Customers:

Security docs available upon request. Email support@bindpilot.ai.

Known Security Limitations

Before SOC 2 audit, please be aware:

• No MFA yet — Coming Q2 2026
• No IP whitelisting — Coming 2026
• API rate limits modest — 100 req/min (increase with usage)
• No dedicated security team — Security is everyone's responsibility (startup culture)

These are areas we're actively improving.

Responsible Disclosure

If you find a security vulnerability:

1. Don't post publicly
2. Email security@bindpilot.ai with details
3. We'll acknowledge within 24 hours
4. We'll work with you on a fix
5. We'll credit you when the vulnerability is announced (if you want)

---

Next: Data Handling and PII Encryption.