Security

Your data security is our foundation

ES Rating is built for the insurance industry, where trust and compliance are not optional. Security is embedded into every layer of our platform, from infrastructure to application to operations.

SOC 2 — audited by Advantage Partners

SOC 2 Type I

ES Rating has completed a SOC 2 Type I examination, with controls assessed against the Trust Services Criteria for Security, Availability, and Confidentiality. Our SOC 2 Type II observation period is underway, and we monitor controls continuously through Vanta. The full report is available under NDA on request.

Infrastructure Security

Google Cloud Platform

All services run on Google Cloud Platform within a dedicated GCP Organization. Production workloads execute on Cloud Run (serverless containers) with Cloud SQL (managed PostgreSQL) for data storage. Google manages physical security, hardware, and hypervisor-level protections.

Network Protection

All traffic routes through Cloudflare, providing DDoS protection, Web Application Firewall (WAF), and TLS termination. Cloud Run services are not publicly accessible and require OIDC authentication from our edge layer. Direct access to backend services returns 403 Forbidden.

Environment Isolation

Production and staging environments are fully separated with distinct Cloud Run services, separate databases, and independent secrets. Staging uses test-mode credentials, and production customer data is never used in non-production environments.

Service-to-Service Authentication

Internal service communication uses OIDC tokens for Cloud Run IAM verification, with an additional origin secret header for defense-in-depth. All inter-service calls are encrypted and authenticated.

Data Protection

Encryption at Rest

All data stored in Cloud SQL and Cloud Storage is encrypted at rest using AES-256 with Google-managed encryption keys. Secrets and credentials are stored in GCP Secret Manager with envelope encryption.

Encryption in Transit

TLS 1.2 or higher is required for all connections. HSTS is enforced on all domains. HTTP requests are automatically redirected to HTTPS. Database connections use encrypted Cloud SQL Auth Proxy.

Backup and Recovery

Automated daily database backups with point-in-time recovery enabled. Backups are stored separately from production instances by GCP. Recovery time objective (RTO) is 1 hour; recovery point objective (RPO) is 15 minutes.

Tenant Isolation

Every database query is scoped to the authenticated tenant. Quote and policy numbers are unique per tenant. Role-based access controls ensure users only see data they are authorized to access.

Application Security

Authentication and Access Control

Studio users authenticate via Firebase Authentication with support for TOTP and SMS multi-factor authentication. Portal users authenticate with JWT tokens (bcrypt-hashed passwords, 12 rounds). MFA is required for sensitive operations including deployments and vault access.

Input Validation

API inputs are validated with Zod schemas, and database access uses the Prisma ORM with parameterized queries to prevent SQL injection. User-supplied HTML is sanitized with DOMPurify to mitigate cross-site scripting (XSS).

Payment Security

Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified provider. ES Rating never stores or processes raw card numbers. Payment amounts are verified server-side before policy issuance, including fees and taxes.

Security Headers

Responses include Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and Strict-Transport-Security headers. CORS is restricted to an allowlist of authorized origins.

Monitoring and Incident Response

Continuous Monitoring

Service uptime is monitored continuously with UptimeRobot, and GCP Cloud Monitoring tracks service health and performance. Structured logging via pino captures application events, and database activity is logged for audit and investigation.

Audit Trail

Every authentication event, impersonation action, and sensitive operation is logged with IP address and user agent. Webhook events from Stripe and SignWell are validated and logged. Audit logs are retained for a minimum of 30 days.

Incident Response

ES Rating maintains a formal Incident Response Plan with defined severity levels, escalation procedures, and communication protocols. Security incidents are investigated, documented, and remediated according to established timelines.

Vulnerability Management

Dependencies are continuously scanned via GitHub Dependabot. Critical and high-severity vulnerabilities are prioritized for remediation, typically within 30 days. Security review is part of our change-management process for platform changes.

Compliance and Governance

Security Policies

ES Rating maintains comprehensive security policies covering information security, access control, data management, cryptography, secure development, business continuity, incident response, and third-party risk management. Policies are reviewed and approved annually.

Vendor Management

All third-party vendors with access to customer data are assessed for security posture. Key vendors (Google Cloud, Stripe, SendGrid, SignWell, Firebase) maintain their own SOC 2 certifications. Vendor security is reviewed annually.

Change Management

All code changes go through version control (GitHub) with branch protection rules. Automated CI/CD pipelines validate builds before deployment. Production deployments require successful status checks and are logged in the deployment audit trail.

Risk Management

ES Rating maintains a formal risk register with regular assessments based on NIST 800-30 and ISO 27005 frameworks. Risks are evaluated by likelihood and impact, with documented treatment plans for all identified risks.

Availability

ES Rating is built on Google Cloud Run, which provides automatic scaling, load balancing, and regional redundancy. Our infrastructure is designed for high availability with the following recovery objectives:

Service Recovery Time (RTO) Recovery Point (RPO)
Database (Cloud SQL)1 hour15 minutes
Platform API30 minutesN/A (stateless)
AI Orchestrator30 minutesN/A (stateless)
Studio App15 minutesN/A (static)
Edge/DNS (Cloudflare)30 minutesN/A

Current system status is available at status.esrating.com.

Reporting a Security Concern

If you discover a security vulnerability or have a security concern regarding ES Rating, please contact us immediately. We take all reports seriously and will respond promptly.

Security Reports

support@esrating.com

For vulnerability disclosures and security concerns

Privacy Requests

support@esrating.com

For data access, deletion, or privacy questions

ES Rating Assistant

Ask about pricing, features, or anything else

Hi! I'm the ES Rating assistant. I can answer questions about the platform, pricing, features, or how to get started. What would you like to know?

Popular questions

or book a demo →1000

Conversations are logged anonymously to improve the assistant. Please don't share personal info.