COIflow← Back to home
Legal · Last updated June 10, 2026

Data Security

COIflow operates a defense-in-depth security program designed to protect the confidentiality, integrity, and availability of Customer Content and the platform that processes it. This page summarizes the controls in place and the shared-responsibility model that governs use of the Service. It is provided for informational purposes; the binding commitments between you and COIflow are set out in the Terms of Service, applicable order forms, and any executed Data Processing Addendum.

1. Hosting and Network

  • Hosted on tier-1 cloud infrastructure (SOC 2 Type II, ISO 27001, PCI-DSS attested data centers) located in the United States.
  • Production environments are isolated from development and test; environments do not share credentials, secrets, or databases.
  • Network segmentation, private VPCs, security groups, and least-privilege egress rules; only TLS endpoints exposed to the public internet.
  • DDoS protection and Web Application Firewall in front of public endpoints.

2. Encryption

  • In transit: TLS 1.2 or higher for all client and service-to-service connections; HSTS enforced on public domains.
  • At rest: AES-256 encryption for databases, object storage, and backups, with keys managed by the cloud provider’s key-management service.
  • Customer documents are stored in object storage with per-object access controls and signed, time-limited URLs.

3. Identity and Access

  • Password hashing with industry-standard adaptive algorithms; minimum length, complexity, and breached-password screening.
  • Optional and, for admin tiers, required multi-factor authentication; SSO available for eligible plans.
  • Row-level security enforces tenant isolation at the database layer. Application authorization is checked on every request.
  • Internal access to production is restricted to a small number of engineers, granted on least-privilege and just-in-time basis, logged, and reviewed quarterly. All internal access requires MFA and originates from managed devices.

4. Application Security

  • Secure-by-default framework with parameterized queries, output encoding, CSRF protection, and content-security headers.
  • Dependency scanning, static analysis, and secret scanning on every change; container and infrastructure-as-code scans on every build.
  • Mandatory code review and CI gates before production deploy; production changes are auditable and reversible.
  • Third-party penetration tests conducted at least annually; high-risk findings remediated promptly.
  • Public bug-bounty / responsible-disclosure channel at security@coiflow.com.

5. Logging, Monitoring, and Audit

  • Centralized logging of authentication, authorization, administrative, and data-access events.
  • Per-tenant audit trail surfaced in-product for COI ingestion, parse, verification, chase, portal view, and document download events.
  • 24×7 alerting on anomalous activity, error rates, infrastructure health, and security signals.

6. Backups, Resilience, and Disaster Recovery

  • Automated daily encrypted backups of databases and object storage, with point-in-time recovery.
  • Multi-AZ high availability for production data stores; recovery procedures are documented and tested.
  • Targets: RPO ≤ 24 hours, RTO ≤ 24 hours for catastrophic regional events. Routine incidents are typically resolved well within these targets.

7. Sub-processors and Vendor Risk

COIflow performs security and privacy diligence on sub-processors before onboarding and re-reviews them on a risk-based cadence. Each sub-processor is bound by written confidentiality and data-protection terms appropriate to the data they process. A current list of sub-processors is available on request.

8. Incident Response and Breach Notification

COIflow maintains a written incident-response plan covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a confirmed Security Incident affecting Customer Content, COIflow will notify affected Customers without undue delay and provide information reasonably necessary to meet the Customer’s own legal and contractual notification obligations. “Security Incident” does not include unsuccessful attempts (e.g., pings, port scans, denial-of-service attempts, or failed log-on attempts).

9. Data Retention and Deletion

  • Customer Content is retained for the subscription term plus a commercially reasonable export window.
  • Audit logs and documents may be retained for up to seven (7) years to support insurance-related dispute and E&O defense.
  • On verified deletion request, Customer Content is purged from active systems and aged out of backups on the next backup-rotation cycle.

10. Compliance Posture

COIflow’s control framework is aligned to SOC 2 (Security, Availability, Confidentiality), ISO/IEC 27001, and applicable U.S. state privacy laws (including the CCPA/CPRA). COIflow is not designed for, and the Service must not be used for, processing protected health information subject to HIPAA, cardholder data subject to PCI-DSS beyond Stripe-managed tokens, classified information, or other data requiring controls not described here, except under a separate executed addendum.

11. Shared Responsibility

You are responsible, and not COIflow, for:

  • provisioning and de-provisioning users, configuring roles, MFA, and SSO;
  • safeguarding credentials, API keys, magic-link tokens, and intake addresses;
  • configuring requirement profiles, chase rules, portal scopes, and white-label settings;
  • reviewing automated outputs (parses, verifications, AI suggestions) before relying on them for a coverage, contractual, or compliance decision;
  • your own backup, retention, legal-hold, and records-management obligations beyond what the Service provides;
  • compliance with insurance, employment, anti-spam (e.g., CAN-SPAM, TCPA), and other laws governing your communications with insureds, vendors, and counterparties.

12. Responsible Disclosure

Report suspected vulnerabilities to hello@coiflow.app. Please give us a reasonable opportunity to investigate and remediate before public disclosure. Do not access data that is not yours, degrade the Service, or attempt social engineering of our personnel or vendors. We will not pursue good-faith research that follows these guidelines.

Disclaimer

Information on this page is provided for transparency and may change as the Service evolves. It is not a warranty or guarantee. No system can be made absolutely secure. The binding terms applicable to the Service are stated in the Terms of Service and Privacy Policy.

Questions? Email hello@coiflow.app.