Security

Built like the data actually matters. Because it does.

Policyholder data is sensitive. We architect, audit, and operate Policy Growth like a financial-grade system — not a marketing tool with a privacy page.

Email security team View compliance posture

Foundations

The non-negotiables.

Encrypted in transit

TLS 1.2+ on every connection. Strict ciphers. HSTS enforced. Annual cert audits.

Encrypted at rest

AES-256 on every database, object store, and backup. Customer-managed keys available on Agency plans.

Least-privilege access

Role-based access controls. Just-in-time elevation for production. All access logged.

MFA required

MFA mandatory for every staff member. SSO available on Growth and Agency plans.

AI training boundary

Your customer data is never used to train models without your explicit written consent.

Tested quarterly

Independent pen tests every quarter. Bug bounty program for responsible disclosure.

Compliance

SOC 2 Type II

Audited annually by an independent firm. Report under NDA.

HIPAA

BAA available for medical-line policies.

GDPR

EU residency available. Standard Contractual Clauses for transfers.

CCPA

Compliant for California residents. Privacy requests via privacy@.

Operations

99.97% rolling uptime

Public status page at status.policygrowth.co. SLA-backed credits on Growth and Agency plans.

Multi-region failover

Database replicated across 3 AZs. Automatic failover under 30 seconds.

Daily encrypted backups

Retained 30 days. Tested monthly via full restore drill.

Incident response

On-call paged within 5 min. Customer comms within 30 min for material incidents.

DDoS protection

Cloudflare in front. Rate limiting at the edge. Auto-scaling under attack.

Audit log on everything

Every AI action, every staff action, every API call — immutable, retained 7 years.

Vendor security reviews

Every sub-processor reviewed annually. SOC 2 reports collected and tracked.

Disaster recovery

RTO of 4 hours, RPO of 15 minutes. Drills run quarterly with a written report.

Disclosure

See something? Say something.

If you believe you've found a security vulnerability in Policy Growth, please email security@policygrowth.co with reproduction steps. We respond within 24 hours.

We run a private bug bounty program for verified researchers. Contact security@ to be invited.

Need our SOC 2 report?

We share the full report under NDA. Email security@ and we'll send the NDA in under an hour.

Email security@ →Read the privacy policy