Enterprise-Grade Security

Your Data Security is Our Priority

Commission data is sensitive—producer payments, carrier relationships, agency revenue. We built Commission Scope with security at its core because we understand what's at stake.

SOC 2 Roadmap

Controls designed toward future third-party audit

Privacy Requests

Manual export and deletion process during pilot

Data Controls

Retention and consent controls being rebuilt

ISO 27001

Information security management (in progress)

Security Features

Multiple layers of protection ensure your data is always safe and secure.

End-to-End Encryption
All commission data encrypted at rest (AES-256) and in transit (TLS 1.3). Producer payments, carrier statements, policy details—never stored in plain text.
Secure Infrastructure
Hosted on secure US cloud infrastructure with health checks, backups, and operational runbooks. Formal uptime guarantees are handled in customer agreements.
Access Control
Role-based access helps staff see only what they need. Producer self-service access is planned after the agency-admin workflow is launch-ready.
Data Privacy
Your commission data is never sold or shared. Period. We support data retention policies and right-to-deletion for compliance with state regulations.
Complete Audit Trails
Operational activity is logged for review. Release gates include confirming audit middleware and privacy workflows in the deployed environment.
Secure Backups
Automated encrypted backups with point-in-time recovery. Years of commission history protected against loss, corruption, or accidental deletion.

Security Practices

Our comprehensive security program covers every aspect of our operations.

Secure Development
  • Code reviews for all changes
  • Automated security scanning (SAST/DAST)
  • Dependency vulnerability monitoring
  • Regular penetration testing
Infrastructure Security
  • Network segmentation and firewalls
  • Log monitoring and alerting
  • DDoS protection
  • Operational incident response runbooks
Data Protection
  • Encryption at rest and in transit
  • Encrypted secret and credential storage
  • Regular backup testing
  • Data classification policies
Access Management
  • Multi-factor authentication (MFA)
  • Magic link and OAuth login support
  • Principle of least privilege
  • Regular access reviews

Incident Response

In the unlikely event of a security incident, our dedicated team follows a rigorous response protocol to minimize impact and keep you informed.

1

Detection

Log monitoring, health checks, and alert review

2

Containment

Rapid isolation to prevent spread

3

Communication

Transparent updates to affected customers

4

Recovery

Full restoration and post-incident review

Response Approach

Critical incidents
Priority triage
High priority
Rapid review
Medium priority
Queued review
Low priority
Planned review

Report a Security Vulnerability

We take security seriously and appreciate responsible disclosure. If you discover a vulnerability, please report it to our security team.

We aim to acknowledge all reports within 24 hours and will keep you updated on our progress.

Have Security Questions?

Our team is happy to discuss our security practices and answer any questions you may have.