Insurix handles sensitive personal and financial data on behalf of insurers and their customers. Security and data integrity are engineering requirements — built into the platform from the ground up, not layered on after the fact.
Every layer of the Insurix platform — from data storage to user access — is governed by clear, auditable controls.
All personal data processed and stored within the United Kingdom. No cross-border transfers without documented legal basis.
TLS 1.3 in transit. AES-256 at rest. Encryption applied at the database, file, and field level for PII.
Registered with the ICO. Data subject rights tooling, configurable retention, and DPA available for all partners.
Role-based controls, MFA enforced for all users, and a full immutable audit trail across every system action.
Specific controls, not broad assurances. Here is what we do and how it works.
Insurix operates as a data processor on behalf of insurer clients. We are registered with the UK Information Commissioner's Office and maintain a full record of processing activities.
Our platform is designed around the six lawful bases for processing under UK GDPR. Every data flow is documented, and processing activities are mapped to explicit legal bases before any data is ingested.
Subject access requests, erasure requests, and rectification can be executed within the platform without manual data extraction. Response timelines are tracked automatically against the statutory 30-day window.
Retention periods are configurable per data category and enforced automatically. A Data Processing Agreement is provided to all insurer partners prior to go-live, covering processor obligations, sub-processor disclosures, and incident notification timelines.
Encryption is applied at every layer where data is stored or transmitted — not just at the perimeter.
All data in transit — between users and the platform, between services, and between the platform and third-party integrations — is encrypted using TLS 1.3. Older protocol versions are disabled. Certificate management is automated with short-lived certificates and automatic renewal.
Data at rest is encrypted using AES-256 at the storage layer. Sensitive fields — including personal identifiers, financial data, and device identifiers — receive an additional layer of field-level encryption within the database, separate from the storage encryption key.
API keys, credentials, and cryptographic secrets are stored in a dedicated secrets management service — never in source code, configuration files, or environment variables accessible to application code directly.
The Insurix platform is hosted on UK-resident, ISO-27001-aligned cloud infrastructure — with redundancy, availability SLAs, and disaster recovery built in.
All production data — claims data, personal data, and supporting documents — is stored and processed within the United Kingdom. No data is transferred to servers outside the UK or EEA without a documented legal basis and explicit contractual controls.
The platform is architected for 99.9% uptime, with auto-scaling compute, redundant database clusters, and multi-zone deployment ensuring that single-component failure does not result in service disruption.
Database backups are taken continuously with point-in-time recovery capability. Disaster recovery procedures are documented and tested, with a defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) agreed with each partner at onboarding.
Access to the Insurix platform and underlying infrastructure follows a least-privilege model — every user, service account, and integration is granted only the permissions it requires.
User permissions are defined by role — claims handler, supervisor, reporting user, admin — and applied at the data level, not just the interface. A claims handler cannot access another partner's data. A reporting user cannot modify claim records. Segregation is enforced at the API layer, not just the UI.
Multi-factor authentication is enforced for all platform users — there are no exemptions for admin or privileged accounts. Insurix staff access to production systems requires MFA via a hardware or authenticator-app second factor, with phishing-resistant options strongly recommended.
Every action performed on the platform — claim status changes, document access, configuration edits, login events, and API calls — is written to an immutable audit log. Logs cannot be modified or deleted by any platform user, including administrators.
We will not claim certifications we do not hold. The table below reflects our current status and our committed roadmap — with no vanity metrics.
Insurix Services Ltd is registered with the UK Information Commissioner's Office as a data controller and processor. Registration number available on request.
UK government-backed certification covering the five foundational technical controls: firewalls, secure configuration, access control, malware protection, and patch management.
The independently verified extension of Cyber Essentials, requiring hands-on technical assessment by an accredited certifying body. Assessment scheduled for Q[X] [YEAR].
Expected: Q[X] [YEAR]International standard for information security management systems. We are building the ISMS documentation and control framework required for certification audit. Target is formal certification within 18 months of commercial launch.
Target: [YEAR]Independent audit of security, availability, and confidentiality controls over a defined observation period. Planned following ISO 27001 certification, given the significant overlap in control requirements.
Target: [YEAR]A comprehensive DPA — covering processor obligations, sub-processor disclosure, incident notification, and data subject rights — is available to all insurer partners prior to go-live. No lengthy negotiation required for standard terms.
Our security pack includes our full control framework, current certification status, sub-processor register, penetration test summary, and DPA — packaged for procurement and information security review teams.
Typically returned within one business day. NDA available on request.