Partner Integrations
Integration Compliance Standards
Daily Event Insurance supports three primary integration methods for partners to submit insurance leads: Microsite, API, and Webhook. Each integration method is designed with comprehensive compliance controls to ensure data security, privacy, and regulatory adherence.
Microsite Integration
Embedded or co-branded web forms for direct customer enrollment with full consent management.
8 compliance controls
API Integration
RESTful API for programmatic quote generation and policy creation from partner systems.
10 compliance controls
Webhook Integration
Event-driven notifications for real-time updates from partner booking and CRM systems.
9 compliance controls
Compliant Data Flow Architecture
Microsite Flow
1
Customer visits partner microsite2
Privacy disclosure displayed3
Consent captured with timestamp4
Form submitted over TLS5
Data validated & logged6
Quote generated, stored encryptedAPI Flow
1
Partner authenticates via OAuth/API key2
Scope permissions verified3
Rate limit checked4
Request payload validated5
Request logged with trace ID6
Response returned, loggedWebhook Flow
1
Partner system sends webhook2
Signature verified (HMAC-SHA256)3
Timestamp validated (replay check)4
Event ID deduplication5
Payload processed & logged6
Acknowledgment returnedMicrosite Integration Compliance
Web form and embedded checkout compliance requirements
Microsite Compliance Controls
| Category | Requirement | Implementation | Status |
|---|---|---|---|
| Data Collection | Explicit consent collection before data submission | Checkbox consent with timestamp logging, links to privacy policy and terms | Implemented |
| Data Collection | Clear privacy disclosure on data collection forms | Privacy notice displayed above form submission, explaining data use | Implemented |
| Security | HTTPS-only form submission | TLS 1.3 encryption, HSTS headers, automatic HTTP redirect | Implemented |
| Security | CSRF protection on all forms | CSRF tokens generated per session, validated on submission | Implemented |
| Security | Input validation and sanitization | Server-side validation, XSS prevention, SQL injection protection | Implemented |
| Audit | Complete submission logging | All submissions logged with timestamp, IP, consent status, form data hash | Implemented |
| Compliance | Partner branding guidelines compliance | Co-branding requirements enforced, DEI disclosure visible | Implemented |
| Compliance | Geographic data collection compliance | State-specific disclosures, CCPA opt-out for California residents | Implemented |
API Integration Compliance
RESTful API security and compliance requirements
API Compliance Controls
| Category | Requirement | Implementation | Status |
|---|---|---|---|
| Authentication | Secure API authentication | OAuth 2.0 with client credentials or API key authentication | Implemented |
| Authentication | API key security | SHA-256 hashed storage, secure transmission, rotation support | Implemented |
| Authorization | Scope-based permissions | Granular API scopes: read:quotes, write:quotes, read:policies, etc. | Implemented |
| Authorization | Principle of least privilege | Partners only granted minimum required permissions | Implemented |
| Security | TLS encryption required | TLS 1.2+ required for all API calls, TLS 1.3 preferred | Implemented |
| Security | Rate limiting | 100 requests/minute default, 429 response with retry headers | Implemented |
| Security | Request validation | JSON schema validation, input sanitization, payload size limits | Implemented |
| Audit | Request logging with tracing | Unique request ID, timestamp, endpoint, response code, duration | Implemented |
| Compliance | PII handling restrictions | No PII in URL parameters, encrypted sensitive fields in request body | Implemented |
| Compliance | API versioning for stability | Version in URL path, deprecation notices, migration support | Implemented |
API Authentication Methods
OAuth 2.0 Client Credentials
Recommended for server-to-server integrations with automatic token refresh.
- Token expiration: 1 hour
- Automatic refresh support
- Scope-based permissions
API Key Authentication
Simple authentication for trusted partners with key rotation support.
- X-API-Key header required
- 90-day rotation recommended
- IP allowlisting optional
Webhook Integration Compliance
Event-driven integration security requirements
Webhook Compliance Controls
| Category | Requirement | Implementation | Status |
|---|---|---|---|
| Security | Webhook signature verification | HMAC-SHA256 signature in X-DEI-Signature header, timestamp validation | Implemented |
| Security | Replay attack prevention | Timestamp validation (5-minute window), event ID deduplication | Implemented |
| Security | Payload encryption | Optional encrypted payloads for sensitive data, no PII in URL | Implemented |
| Reliability | Idempotent event processing | Unique event IDs, deduplication in database, safe retry handling | Implemented |
| Reliability | Retry with exponential backoff | Automatic retry (3 attempts), exponential backoff (1s, 5s, 25s) | Implemented |
| Reliability | Dead letter queue | Failed events queued for manual review, alerting on failures | Implemented |
| Audit | Event logging | All events logged with status, processing time, retry count | Implemented |
| Compliance | Event type documentation | Comprehensive event catalog with schemas and examples | Implemented |
| Compliance | Partner endpoint requirements | HTTPS required, response time SLA, status code requirements | Implemented |
Webhook Signature Verification
All incoming webhooks must include a valid HMAC-SHA256 signature for verification. Webhooks without valid signatures are rejected and logged as security events.
Header: X-DEI-Signature
Format: t=timestamp,v1=signature
Algorithm: HMAC-SHA256
Payload: timestamp.request_body
Time Window: ±5 minutes
Partner Integration Requirements
All integration partners must meet the following requirements before receiving production API credentials or webhook endpoints.
Pre-Integration
- Complete partner agreement including data processing terms
- Provide business verification documentation
- Designate technical contact for security notifications
- Review and acknowledge integration compliance requirements
Ongoing Requirements
- Maintain secure credential storage (no hardcoding)
- Rotate API keys every 90 days (recommended)
- Report security incidents within 24 hours
- Maintain HTTPS endpoints for webhooks
Integration Compliance Matrix
| Control | Microsite | API | Webhook |
|---|---|---|---|
| TLS Encryption | |||
| Authentication | Session/CSRF | OAuth/API Key | HMAC Signature |
| Rate Limiting | N/A | ||
| Input Validation | |||
| Audit Logging | |||
| Replay Prevention | CSRF Token | Nonce (optional) | Timestamp + ID |
| Consent Capture | Partner-side | Partner-side |