We’re serious about security at Bold Penguin, and have a dedicated security team of experts who build security into everything we do. We embrace principles such as least privilege and defense in-depth across all of our business operations and platform.
Our security program incorporates elements of NIST Special Publication 800-series combined with taking guidance from New York State Cybersecurity Regulation 23 NYCRR 500.
We use Amazon Web Services (AWS) highly available and secure infrastructure that meets the requirements of the Department of Defense and the Nasdaq. AWS implements SOC2 security, availability, and confidentiality controls. The AWS SOC 3 Report contains more information about their security.
When you use Bold Penguin, you get the benefit of our security without having to install or configure anything on your end. That’s part of the value of a Software as a Service (SaaS) solution. Our proven SaaS platform is trusted by our customers of all sizes, including many Fortune 100 companies.
The Bold Penguin SaaS platform is built for you to use securely. Our platform is built using multi-tenancy, so the information in your accounts is only able to be viewed by you and authorized users within your account.
If you’re an enterprise customer and want to use your existing usernames and passwords, we offer Single Sign On (SSO) integration using SAML. This allows you to manage access addition and removal within your existing processes. Additionally, it allows you to apply your internal password policy to your Bold Penguin accounts. For customers who decide not to use SSO, our platform supports role-based access management as well.
Out of respect for your privacy and to keep you safe, we collect the least information necessary for businesses to buy an insurance policy, which typically doesn’t include personal information. We don’t collect health information, social security numbers, or other types of information that would be higher risk to you if stolen.
When agents buy policies on Bold Penguin, we don’t touch credit cards directly. Our business is insurance technology, not credit card processing. We’ve partnered with Stripe, which is a secure PCI Level 1 payments provider. Level 1 is the most stringent level of security certification available in the payments industry. Stripe processes all credit cards on our behalf directly on their servers.
We embrace the concept of least privilege. If someone doesn’t need access to something to do their job, they won’t have access. When employees leave, we remove access quickly so old accounts aren’t sitting around waiting to be stolen. Administrative access to our infrastructure is provided through federated authentication and requires multi-factor authentication. Our infrastructure is isolated into different accounts based on purpose such as testing and production.
It’s difficult to protect things if you don’t know what we have. At Bold Penguin, we know what we have, and we watch it closely. We log everything, everywhere, and have Intrusion Detection Systems monitoring 24x7. We embrace the principle of defense in-depth. If something that could be malicious occurs, we get notified and verify that it was an authorized action.
All changes and operations in our cloud environment are logged and monitored. Our logs show exactly who changed what as well as the exact timestamp of the change, which creates an audit trail for both forensics and incident response.
We have a third party perform an annual penetration test to ensure that we’re well-hardened from the perspective of a potential cracker. We monitor our infrastructure to ensure that we’re quickly remediating any potential vulnerabilities using a risk-based approach.
We build our technology platform to exceed a 99.9% service level by having highly available infrastructure configured across multiple Availability Zones in AWS. Our resilient platform is built to have no single point of failure, and automatic failover in case of failure. In case of the impossible happening, we also have backups across regions.
Our infrastructure is versioned and immutable, so every change made is the same from development to production. This allows us to deploy critical security updates almost as soon as they are ready. The Infrastructure for testing uses in a different network than production and they’re fully independent, so testing doesn’t affect our production platform. Our firewall policies only allow access to load balanced web services on the internet, which reduces places that can be attacked publicly. Additionally, we have zero downtime deployments to ensure that our platform is available when our customers need it.
Our monitoring ensures that our platform is reliable and secure. When the monitoring detects that the infrastructure is reaching capacity, it automatically scales up to match our business.
Encryption at rest and in transit, we encrypt all the things. When you access our applications, they’re encrypted with SSL certificates and configured with strong encryption. At rest, our servers are encrypted using the industry standard AES-256 cryptographic algorithm.
Infrastructure is stored in AWS secure data centers. The Bold Penguin offices have staffed security guards, key cards at the doors, and video recording. If it’s outside of business hours, the office is locked and only accessible to authorized personnel.