Security Commitments

As an organization dedicated to protecting and securing our customers’ applications, ClaimsBridge is equally committed to our customers’ data security and privacy. This statement is meant to provide ClaimsBridge customers and prospects with the latest information about our systems, compliance certifications, processes, and other security-related activities.

ClaimsBridge has defined and published a set of information security policies which is:

• Based on ISO 27001, ISO 27002, NIST SP 800-53, and NIST CSF
• Approved by management.
• Communicated to all employees and relevant external parties.
• Reviewed annually by stakeholders.

ClaimsBridge regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:

• In-depth internal security assessments—for major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
• Threat modeling—for major new releases, ClaimsBridge creates and/or updates threat models that provide a baseline for other security testing activities.

• Our SaaS offerings utilizes industry leading cloud services provider Microsoft Azure, which is known for their security and protections.
• In addition to the security provided by Microsoft Azure, ClaimsBridge uses real-time monitoring tools for cloud configuration and container integrity, a web application firewall, and other security controls.

Please see our Privacy Policy and Terms of Service page Here containing our Privacy Policy Statement and our Terms of Service.

• ClaimsBridge has established policy, process, and procedure to ensure a quick, effective, and orderly response to information security incidents.
• The Information Security Policy and Security Incident Response Plan are reviewed, tested, and updated (as appropriate) at a minimum, annually.
• ClaimsBridge will notify customers consistent with our Privacy Policy, Security Incident Response Plan and Data Breach Notification Policy.

• ClaimsBridge has deployed IDS/IPS, WAFs, Firewalls, and related technologies to protect against external threats.
• Network environments are physically and logically segregated; customer data are logically segregated.
• Security alerts are monitored 24×7 by a dedicated security team with a 5-min SLA for initial triage of critical alerts.
• Vulnerability scans are performed frequently, and the results analyzed by our Info Sec Team.

• All customer data are encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.
• All traffic is encrypted in transit by default via HTTPS/TLS (Transport Layer Security) 1.2 or better. SFTP or FTP with PGP encryption is used for the secure transfer of files into and out of ClaimsBridge.
• All persistent data is encrypted at rest using AES 256-bit encryption or better.

• High availability is achieved using the native cloud orchestration capabilities of Microsoft Azure
• Customer data is backed up daily.
• If individual VM containers fail within an Azure availability zone, they will recover automatically due to the cloud-native architecture. If there is an outage for a complete availability zone or region, there is a process that will create a new instance in a different availability zone or region. This process is manual and takes 15-30 minutes, excluding the time to load the customer database with a copy of the backup.
• In general, across all types of disaster situations, including failures beyond core infrastructure, ClaimBridge’s recover time objective (RTO) is one (1) business day and the recovery point objective (RPO) is < 1 hour.

• Only the customer has access to their own data. If ClaimsBridge employees need access to customer data for troubleshooting or support purposes, customer permission is required to grant access.
• Multi-factor authentication (MFA) capability is provided to customers for accessing ClaimsBridge applications.

User, system administrator and system activities are logged and:

• Routed to a centralized location for monitoring, analysis, and alerting.
• Protected from tampering.
• Retained for at least one year.

• Changes to the organization, business processes, cloud infrastructure, and systems affecting information security are performed per a defined change management policy, process, and procedure.
• All changes are logged via a ticketing system, and approvals are required and tracked.
• The technical review includes a risk assessment and all other technical aspects of the change.

SOC 2 Type 2

SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) existing Trust Services Criteria (TSC). The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

SOC 2 Type 2 reports are issued annually around March (period ending 28-February) and can be requested by contacting security@claimsbridge.com

Please contact security@claimsbridge.com for further inquiries regarding security at ClaimsBridge.