Security Controls

Data Security & Protection

Daily Event Insurance implements comprehensive security controls to protect customer data, ensure system integrity, and maintain confidentiality. Our security program is designed to meet SOC 2 Type II requirements and insurance industry standards.

Data Security Policy Statement

Daily Event Insurance is committed to protecting the confidentiality, integrity, and availability of all information assets. We implement security controls commensurate with the sensitivity of the data we process, including personally identifiable information (PII), protected health information (PHI), and financial data.

Our security program is based on industry-recognized frameworks including SOC 2 Trust Services Criteria, NIST Cybersecurity Framework, and insurance industry best practices. We continuously monitor, test, and improve our security posture to address evolving threats.

Policy Version: 2.0 | Last Reviewed: January 2026 | Next Review: July 2026

Security Architecture Overview

Perimeter Security

WAF, DDoS protection, and edge security controls protect against external threats.

Application Security

Authentication, authorization, input validation, and secure coding practices.

Data Security

Encryption at rest and in transit, key management, and data classification.

Encryption Controls

Cryptographic protection for data in transit and at rest

ENC-001Implemented

Data in Transit Encryption

All data transmitted between clients and servers is encrypted using TLS 1.3

Implementation Details

TLS 1.3 with strong cipher suites (AES-256-GCM, CHACHA20-POLY1305)
Perfect Forward Secrecy (PFS) enabled
HSTS (HTTP Strict Transport Security) enforced
Certificate pinning for mobile applications
Automatic HTTP to HTTPS redirect

ENC-002Implemented

Data at Rest Encryption

All stored data is encrypted using AES-256 encryption

Implementation Details

AES-256 encryption for database storage
Encrypted backup storage
Key management using cloud provider HSM
Regular key rotation schedule (90 days)
Separation of encryption keys from data

ENC-003Implemented

API Payload Encryption

Sensitive API payloads are encrypted at the application layer

Implementation Details

JSON Web Encryption (JWE) for sensitive payloads
Encrypted webhook payloads
No PII in URL parameters
Request/response body encryption for high-sensitivity operations

Access Controls

Authentication, authorization, and identity management

ACC-001Implemented

Role-Based Access Control (RBAC)

Granular permission system with role-based access

Implementation Details

Five-tier role hierarchy: Admin, Moderator, Partner, User, Viewer
Granular permissions per resource type
Role inheritance for hierarchical access
Audit logging of all permission changes
Regular access reviews (quarterly)

ACC-002Implemented

Authentication Controls

Secure authentication with multiple verification factors

Implementation Details

Bcrypt password hashing with salt
JWT-based session management
Session expiration and automatic logout
Failed login attempt tracking and lockout
Password complexity requirements enforced

ACC-003In Progress

Multi-Factor Authentication (MFA)

Additional authentication factors for sensitive operations

Implementation Details

TOTP-based MFA support
MFA required for admin accounts
MFA enforcement for high-risk transactions
Backup codes for account recovery

ACC-004Implemented

API Access Controls

Secure API authentication and authorization

Implementation Details

OAuth 2.0 / API key authentication
Scope-based API permissions
Rate limiting per API key
IP allowlisting (optional)
API key rotation support

Network Security

Infrastructure and network-level security controls

NET-001Implemented

Network Segmentation

Logical separation of network resources

Implementation Details

VPC isolation for production workloads
Private subnets for database servers
Public subnets only for load balancers
Network ACLs for subnet-level filtering
Security groups for instance-level filtering

NET-002Implemented

DDoS Protection

Protection against distributed denial-of-service attacks

Implementation Details

Cloud provider DDoS protection (always-on)
Rate limiting at edge and application layers
Geographic filtering capability
Traffic analysis and anomaly detection
Automatic scaling during traffic spikes

NET-003Implemented

Web Application Firewall (WAF)

Protection against common web application attacks

Implementation Details

OWASP Top 10 rule sets
SQL injection protection
Cross-site scripting (XSS) prevention
Custom rule configuration
Real-time threat monitoring

Incident Response & Vulnerability Management

Security monitoring, incident handling, and remediation

INC-001Implemented

Security Incident Response

Documented procedures for security incident handling

Implementation Details

24/7 security monitoring
Incident severity classification (P1-P4)
Escalation procedures and contacts
Incident communication templates
Post-incident review process

INC-002Implemented

Breach Notification

Procedures for data breach notification

Implementation Details

72-hour notification timeline for regulators
Customer notification procedures
Breach assessment criteria
Documentation requirements
Remediation tracking

INC-003Implemented

Vulnerability Management

Continuous vulnerability identification and remediation

Implementation Details

Weekly automated vulnerability scans
Critical vulnerability patching within 24 hours
High vulnerability patching within 7 days
Dependency vulnerability monitoring
Security patch testing procedures

SOC 2 Trust Services Criteria Mapping

Our security controls are mapped to SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality.

Category	Criteria	Controls	Status
Security	CC6.1 - Logical Access	ACC-001, ACC-002, ACC-004	Implemented
Security	CC6.6 - Encryption	ENC-001, ENC-002, ENC-003	Implemented
Security	CC6.7 - Transmission Protection	ENC-001, NET-001	Implemented
Security	CC7.2 - System Monitoring	INC-001, INC-003	Implemented
Availability	A1.2 - Environmental Protections	NET-002 (Cloud provider)	Implemented
Confidentiality	C1.2 - Data Disposal	See Data Retention Policy	Implemented

Security Testing & Monitoring

Testing Schedule

Vulnerability Scanning
Weekly automated scans
Penetration Testing
Annual third-party assessment
Code Security Review
Continuous with each deployment
Access Reviews
Quarterly access recertification

Continuous Monitoring

Security Information & Event Management
24/7 log monitoring and alerting
Intrusion Detection
Network and host-based IDS
File Integrity Monitoring
Critical file change detection
Uptime Monitoring
99.9% availability target

Testing Schedule

Vulnerability Scanning
Weekly automated scans
Penetration Testing
Annual third-party assessment
Code Security Review
Continuous with each deployment
Access Reviews
Quarterly access recertification

Continuous Monitoring

Security Information & Event Management
24/7 log monitoring and alerting
Intrusion Detection
Network and host-based IDS
File Integrity Monitoring
Critical file change detection
Uptime Monitoring
99.9% availability target

Data Security & Protection

Data Security Policy Statement

Security Architecture Overview

Perimeter Security

Application Security

Data Security

Encryption Controls

Data in Transit Encryption

Data at Rest Encryption

API Payload Encryption

Access Controls

Role-Based Access Control (RBAC)

Authentication Controls

Multi-Factor Authentication (MFA)

API Access Controls

Network Security

Network Segmentation

DDoS Protection

Web Application Firewall (WAF)

Incident Response & Vulnerability Management

Security Incident Response

Breach Notification

Vulnerability Management

SOC 2 Trust Services Criteria Mapping

Security Testing & Monitoring

Testing Schedule

Continuous Monitoring

Related Documentation

Data Security & Protection

Data Security Policy Statement

Security Architecture Overview

Perimeter Security

Application Security

Data Security

Encryption Controls

Data in Transit Encryption

Data at Rest Encryption

API Payload Encryption

Access Controls

Role-Based Access Control (RBAC)

Authentication Controls

Multi-Factor Authentication (MFA)

API Access Controls

Network Security

Network Segmentation

DDoS Protection

Web Application Firewall (WAF)

Incident Response & Vulnerability Management

Security Incident Response

Breach Notification

Vulnerability Management

SOC 2 Trust Services Criteria Mapping

Security Testing & Monitoring

Testing Schedule

Continuous Monitoring

Related Documentation