Trust & Security

BrokerStack security overview

How we protect your clients' data — from the platform controls we have in place to how long we keep it and how you can request deletion.

AWS S3 Encrypted at RestTLS in TransitFull Audit LoggingPII Redacted Before AI Processing

Security Controls

Technical controls in place as of the current platform version.

Encryption at rest

AWS S3 server-side encryption (AES-256) + application-layer field encryption for sensitive identifiers (FEIN)

Encryption in transit

TLS enforced; HTTPS redirect; HSTS with 1-year preload including subdomains

Authentication

Session-based auth; 30-minute inactivity timeout; HttpOnly secure cookies

Multi-factor authentication

TOTP available; not currently required for all users

Role-based access

Broker and CSR roles with separate permission scopes

Audit logging

All create / update / delete operations on client, document, extraction, and comparison data are logged with user and timestamp

Rate limiting

60 req/hr anonymous; 600 req/hr authenticated; AI endpoints capped at 10/hr

Input validation

Pydantic schemas on all extracted data; strict HTML sanitisation allowlist; CSRF protection

Security headers

Baseline security headers enabled, including Content-Security-Policy, HSTS, X-Frame-Options, and secure cookies

Independent penetration test

Not yet conducted

AI & Document Processing

How client documents are handled when processed by AI services.

When a quote document is processed for data extraction, the following steps are taken before any data leaves the platform:

PII redaction: Personally identifiable information is masked from document text before transmission to AI providers.
Raw PDF transfer off by default: Raw document bytes are not sent to AI providers unless explicitly enabled per installation (default: off).
Field-level provenance: Extracted values are recorded with the model used and a confidence score, and — where the source can be matched — a page reference, for an auditable trail. Citation coverage isn't 100%; values without a match are flagged for review.
Training opt-out: The platform redacts PII in code before AI calls. A contractual training opt-out requires an enterprise agreement with each AI provider and is not currently in place.

Continuous Security Testing

How we verify code changes and the running application over time, not just through one-time reviews.

Our security assurance program layers code scanning with runtime scanning so issues can be caught both before merge and on the deployed staging environment.

Semgrep

Every pull request

Static analysis that catches insecure code patterns before they reach the main branch.

Looks for issues such as auth mistakes, injection risks, unsafe file handling, and framework misuse across backend and frontend code.

Bandit

Backend pull requests / nightly

Adds Python-specific backend checks that complement general code scanning.

Focuses on server-side risks such as subprocess misuse, weak crypto choices, unsafe loaders, insecure temp-file handling, and debug leftovers.

ZAP Baseline

Nightly against staging

Passively tests the running application to catch deployment or runtime issues that code review can miss.

Inspects headers, cookies, redirects, caching behavior, and exposed routes on the deployed staging site.

ZAP Full

Weekly against staging

Provides deeper authenticated attack-surface testing against broker workflows.

Exercises logged-in flows and internal endpoints for issues such as XSS, CSRF weaknesses, parameter tampering, and access-control regressions.

Runtime scans are directed at staging so active testing does not interfere with the production environment.

Infrastructure & Data Residency

Where data is stored and who operates the underlying infrastructure.

Sub-processors

Provider	Purpose	Region
Amazon Web Services	Document & database hosting	US (us-east-1)
Anthropic	AI document extraction	US
Google Cloud	AI extraction	US
OpenAI	AI extraction	US
Railway	Database hosting	US

Data Retention

How long we retain different categories of data.

Data category	Retention period
Client records	Relationship + 7 years
Quote documents	Relationship + 7 years
AI-extracted data & provenance	Same as source document
Comparison records	Relationship + 7 years
Audit logs	7 years
User account data	Account duration + 1 year

Deletion is available on request (hard delete removes all data from storage and database). Soft delete preserves records for audit purposes.

Access Controls

Who can access data and how access is managed.

Two roles: Broker (full access) and CSR (operational access). Enforced at the API layer on every request.
All document storage is private — S3 objects are never publicly accessible.
Sessions expire after 30 minutes of inactivity.
MFA is available (TOTP) but is not currently mandatory. We recommend enabling it for all user accounts.

Compliance Posture

Current status against common compliance frameworks.

SOC 2In Progress

Technical controls in place. Audit logging, encryption, and access controls implemented. Formal Type II audit not yet completed.

CCPAPartial

Data retention policy published. Deletion available on request. Self-serve data export is on the roadmap.

State Insurance RegsAligned

7-year retention for comparison and quote records. Soft delete preserves audit trail. Full edit history on all extracted data.

Security questions or documentation requests

For full control mapping documentation, data processing agreements, deletion requests, or security enquiries, contact us directly.