Private Preview -- Accepting Select MGA Partners
Security
ES Rating is built for the insurance industry, where trust and compliance are not optional. Security is embedded into every layer of our platform, from infrastructure to application to operations.
ES Rating is pursuing SOC 2 Type I certification with continuous monitoring through Vanta. Our security controls are designed to meet the Trust Services Criteria for Security, Availability, and Confidentiality.
All services run on Google Cloud Platform within a dedicated GCP Organization. Production workloads execute on Cloud Run (serverless containers) with Cloud SQL (managed PostgreSQL) for data storage. Google manages physical security, hardware, and hypervisor-level protections.
All traffic routes through Cloudflare, providing DDoS protection, Web Application Firewall (WAF), and TLS termination. Cloud Run services are not publicly accessible and require OIDC authentication from our edge layer. Direct access to backend services returns 403 Forbidden.
Production and staging environments are fully separated with distinct Cloud Run services, separate databases, and independent secrets. Staging uses test-mode credentials, and production customer data is never used in non-production environments.
Internal service communication uses OIDC tokens for Cloud Run IAM verification, with an additional origin secret header for defense-in-depth. All inter-service calls are encrypted and authenticated.
All data stored in Cloud SQL and Cloud Storage is encrypted at rest using AES-256 with Google-managed encryption keys. Secrets and credentials are stored in GCP Secret Manager with envelope encryption.
TLS 1.2 or higher is required for all connections. HSTS is enforced on all domains. HTTP requests are automatically redirected to HTTPS. Database connections use encrypted Cloud SQL Auth Proxy.
Automated daily database backups with point-in-time recovery enabled. Backups are stored separately from production instances by GCP. Recovery time objective (RTO) is 1 hour; recovery point objective (RPO) is 15 minutes.
Every database query is scoped to the authenticated tenant. Quote and policy numbers are unique per tenant. Role-based access controls ensure users only see data they are authorized to access.
Studio users authenticate via Firebase Authentication with support for TOTP and SMS multi-factor authentication. Portal users authenticate with JWT tokens (bcrypt-hashed passwords, 12 rounds). MFA is required for sensitive operations including deployments and vault access.
All API inputs are validated with Zod schemas. Database queries use Prisma ORM with parameterized queries exclusively, preventing SQL injection. HTML output is sanitized with DOMPurify to prevent cross-site scripting (XSS).
Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified provider. ES Rating never stores or processes raw card numbers. Payment amounts are verified server-side before policy issuance, including fees and taxes.
All responses include Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and Strict-Transport-Security headers. CORS is restricted to authorized origins only.
All services are monitored 24/7 with UptimeRobot. GCP Cloud Monitoring tracks service health and performance. Structured logging via pino captures all application events. Database audit logging (pgaudit) records every SQL query.
Every authentication event, impersonation action, and sensitive operation is logged with IP address and user agent. Webhook events from Stripe and SignWell are validated and logged. Audit logs are retained for a minimum of 30 days.
ES Rating maintains a formal Incident Response Plan with defined severity levels, escalation procedures, and communication protocols. Security incidents are investigated, documented, and remediated according to established timelines.
Dependencies are continuously scanned via GitHub Dependabot. Critical and high severity vulnerabilities are remediated within 30 days. Regular security assessments and code reviews are performed on all platform changes.
ES Rating maintains comprehensive security policies covering information security, access control, data management, cryptography, secure development, business continuity, incident response, and third-party risk management. Policies are reviewed and approved annually.
All third-party vendors with access to customer data are assessed for security posture. Key vendors (Google Cloud, Stripe, SendGrid, SignWell, Firebase) maintain their own SOC 2 certifications. Vendor security is reviewed annually.
All code changes go through version control (GitHub) with branch protection rules. Automated CI/CD pipelines validate builds before deployment. Production deployments require successful status checks and are logged in the deployment audit trail.
ES Rating maintains a formal risk register with regular assessments based on NIST 800-30 and ISO 27005 frameworks. Risks are evaluated by likelihood and impact, with documented treatment plans for all identified risks.
ES Rating is built on Google Cloud Run, which provides automatic scaling, load balancing, and regional redundancy. Our infrastructure is designed for high availability with the following recovery objectives:
| Service | Recovery Time (RTO) | Recovery Point (RPO) |
|---|---|---|
| Database (Cloud SQL) | 1 hour | 15 minutes |
| Platform API | 30 minutes | N/A (stateless) |
| AI Orchestrator | 30 minutes | N/A (stateless) |
| Studio App | 15 minutes | N/A (static) |
| Edge/DNS (Cloudflare) | 30 minutes | N/A |
Current system status is available at status.esrating.com.
If you discover a security vulnerability or have a security concern regarding ES Rating, please contact us immediately. We take all reports seriously and will respond promptly.
support@esrating.com
For vulnerability disclosures and security concerns
support@esrating.com
For data access, deletion, or privacy questions