Security

All sensitive data fields stored in ContractIQ are encrypted at rest using AES-256 encryption. This includes:

Social Security Numbers (SSN). Bank routing numbers and account numbers. Taxpayer Identification Numbers (TINs, EINs). Signed contracting packet documents stored in Amazon S3.

Encrypted fields are stored using a key derivation scheme managed by INSURASAFE. Encryption keys are rotated on a defined schedule and are never stored alongside the encrypted data. Only the last four digits of SSNs, routing numbers, and account numbers are retained in plaintext for verification display purposes.

Database-level encryption (encryption at rest for the underlying Supabase PostgreSQL instance) is enforced at the infrastructure level, providing an additional layer of protection independent of field-level encryption.

All data transmitted between clients and ContractIQ servers is encrypted using TLS 1.3. Older protocol versions (TLS 1.0, TLS 1.1, SSL) are not accepted. HTTP connections are redirected to HTTPS.

Document download URLs (contracting packet PDFs) are time-limited and cryptographically signed. A signed URL is valid for a configurable window (typically 15 minutes) and cannot be used after expiration. URLs are tied to the requesting session and cannot be shared across sessions.

API keys issued to carriers are transmitted via HTTPS headers only. API keys are hashed on storage. A compromised API key can be revoked and reissued without affecting other carrier credentials.

ContractIQ enforces role-based access control at every layer of the application:

Row-Level Security (RLS): Database queries are governed by Supabase RLS policies. Agents can read and write only their own passport data. FMO administrators can access only the agents belonging to their organization. Carriers can access only the contracting data of agents who have submitted applications for their specific carrier.

Authentication: All authenticated access is managed by Clerk, which supports multi-factor authentication (MFA), session management, and suspicious activity detection.

API Authentication: Carrier API access requires a per-carrier API key issued through the FMO portal. API keys are scoped to the issuing carrier's data only.

Admin Access: INSURASAFE engineering access to production data requires multi-factor authentication and is logged in an immutable audit trail.

ContractIQ maintains an append-only audit log of all significant platform events. The audit log records:

Agent passport submissions and updates. Contracting packet generation and carrier transmission. API key issuance and revocation. Document access (including signed URL generation). FMO administrator actions (invitations, releases, credential issuance). Authentication events.

Audit log entries cannot be modified or deleted by any user, including INSURASAFE administrators. Logs are retained for a minimum of three years. The audit log is available to FMO administrators for their organization's activity and to carriers for their own API activity.

INSURASAFE is committed to achieving SOC 2 Type II certification for ContractIQ. Our roadmap includes:

Current: Implementation of security controls aligned with the SOC 2 Trust Services Criteria for Security (CC series). Internal control documentation and evidence collection. Vendor risk assessments for all third-party service providers.

In Progress: Engagement with a qualified CPA firm to conduct the Type II examination. Target completion within 18 months of general availability launch.

Enterprise customers and carriers requiring a current SOC 2 report or a copy of our security documentation may contact security@contractiq.com.

We take security vulnerabilities seriously. If you discover a security issue in ContractIQ, we ask that you disclose it to us responsibly before making it public.

How to report: Email security@contractiq.com with a description of the vulnerability, steps to reproduce it, and the potential impact. Include “Responsible Disclosure” in the subject line.

Our commitment: We will acknowledge your report within 2 business days. We will investigate and provide a substantive response within 10 business days. We will work to remediate confirmed vulnerabilities within 30 days for critical issues and 90 days for lower-severity issues. We will not pursue legal action against researchers who act in good faith under this policy.

Out of scope: Denial-of-service attacks, social engineering of INSURASAFE employees, and physical security attacks are out of scope for this program.

Security contact: security@contractiq.com