Security Program Overview
Executive Summary
SALT Insure maintains a comprehensive Information Security Program overseen by a Security Officer with direct executive and board-level reporting. Our security program is built on industry-recognized frameworks including CIS Controls v8 and SOC 2 Trust Services Criteria, with a risk-based approach that prioritizes the protection of customer data, system availability, and regulatory compliance.
Our security philosophy balances robust protection with operational efficiency. We implement defense-in-depth strategies across data protection, access control, infrastructure security, and incident response. All security policies are reviewed annually, controls are tested regularly, and our program evolves continuously to address emerging threats and business requirements.
SALT’s security program supports our customers’ compliance needs including SOC 2 readiness, state privacy laws (CCPA), and industry-specific requirements for insurance and financial services.
Security Program at a Glance
| Category | Status |
|---|---|
| Governance | Security Officer, annual policy reviews, quarterly access reviews |
| Compliance Frameworks | CIS Controls v8 (Implementation Group 1), SOC 2 Type II (in progress, 2026) |
| Encryption | TLS 1.3 in transit, AES-256 at rest, attribute-level encryption for sensitive data |
| Authentication | Multi-factor authentication required, enterprise password manager (1Password) |
| Infrastructure | SOC 2 compliant cloud providers (US-based data centers) |
| Access Control | Role-based access control (RBAC), least privilege, quarterly reviews |
| Vulnerability Management | Continuous monitoring, 7-day SLA for critical vulnerabilities |
| Incident Response | Dedicated Cybersecurity Response Team, 24/7 capability, annual testing |
| Business Continuity | Disaster Recovery Plan with defined RTO/RPO, automated backups, annual testing |
| Employee Security | Background checks, security awareness training, formal offboarding process |
| Insurance | Cyber liability insurance maintained |
Core Security Controls
Data Protection
Encryption All customer data is encrypted both in transit and at rest using industry-standard methods. Data in transit uses TLS 1.3 (minimum TLS 1.2). Data at rest is encrypted using AES-256. Sensitive data fields receive additional application-level encryption for defense-in-depth.
Data Classification SALT maintains a formal data classification policy with four levels: Public, Internal, Confidential, and Restricted. Customer data is classified as Confidential and protected with appropriate controls including encryption, access restrictions, comprehensive logging, and continuous monitoring.
Data Storage & Backup Customer data is stored in secure, SOC 2 compliant data centers operated by reputable cloud infrastructure providers within the United States. All facilities provide physical security, redundancy, and disaster recovery capabilities. Automated backups run continuously with point-in-time recovery capabilities. Backups are encrypted and stored in geographically diverse locations.
Access Control & Authentication
Authentication Requirements Multi-factor authentication (MFA) is required for all systems that support it, including administrative access, VPN connections, and access to systems containing customer data. All employees use 1Password enterprise password manager with minimum 20-character passwords, complexity requirements, and prohibition of password reuse.
Access Management Access to customer data is controlled through role-based access control (RBAC) based on the principle of least privilege. Access is granted only to authorized personnel who require it to perform their job duties. All access requests are documented, approved by management, and reviewed quarterly. Access is immediately revoked upon termination or role change.
Access Review Process User access rights are reviewed quarterly to ensure they remain appropriate for each user’s role and responsibilities. Reviews are documented and any inappropriate access is immediately remediated. Access is also reviewed upon role changes and immediately revoked during offboarding.
Infrastructure & Network Security
Layered Defense Architecture SALT’s infrastructure is secured through multiple layers of defense including firewalls, intrusion detection/prevention systems, encryption, network segmentation, and continuous monitoring. Our infrastructure is hosted in SOC 2 compliant data centers with built-in security controls managed by reputable cloud providers.
Monitoring & Logging Comprehensive monitoring and logging is deployed across all critical systems and applications. Monitoring includes security events, system performance, availability, and anomaly detection. Alerts are configured for critical security and operational events. Logs are centrally collected, retained according to compliance requirements, and regularly reviewed.
Vulnerability Management SALT maintains a comprehensive vulnerability management program with continuous monitoring, regular scanning, risk-based prioritization, and timely remediation. Critical vulnerabilities are addressed within 7 days, high-severity within 30 days, and medium-severity within 90 days. All systems receive regular security updates and patches.
Secure Development All code changes follow secure development practices including mandatory peer review, automated and manual testing, dependency scanning, and security-focused change management. No code is deployed to production without approval. We monitor third-party dependencies for vulnerabilities and apply updates promptly.
Incident Response & Business Continuity
Incident Response Plan SALT maintains a comprehensive Incident Response Plan defining roles, responsibilities, detection, containment, eradication, recovery, and communication procedures. A Cybersecurity Response Team (CRT) is established and trained to respond to security incidents. The plan is tested annually through tabletop exercises and updated as needed.
Detection & Response Capabilities Continuous monitoring and alerting capabilities enable rapid detection of security incidents. The Incident Commander and Cybersecurity Response Team can be activated immediately upon incident detection. SALT maintains 24/7 incident response capabilities for critical systems.
Disaster Recovery Our Disaster Recovery Plan includes defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) with procedures for recovering from infrastructure failures, data loss, and service disruptions. The plan is reviewed and tested at least annually through tabletop exercises.
Employee Security & Training
Background Checks Background checks are conducted on all employees and contractors who have access to customer data or systems, in accordance with applicable laws and regulations. Checks include criminal history and employment verification.
Security Awareness Training All employees receive security awareness training during onboarding and on an ongoing basis. Training covers phishing awareness, password security, data handling, acceptable use policies, and incident reporting procedures.
Remote Work Security SALT has a comprehensive Remote Work Policy defining security requirements including secure VPN connections, device encryption, password protection, automatic locking, anti-malware protection, and regular security updates. All remote workers must comply with the policy as a condition of employment.
Offboarding Process A formal offboarding process ensures immediate revocation of all access rights upon termination, including systems, applications, and credentials. Company assets are returned and securely wiped. Offboarding is tracked through a checklist to ensure completeness.
Compliance & Certifications
Current Status
SOC 2 Type II SALT is actively pursuing SOC 2 Type II certification with expected completion in 2026. Our security program has been developed in alignment with SOC 2 Trust Services Criteria, and we maintain controls and documentation consistent with SOC 2 requirements.
CIS Controls v8 Our security controls are aligned with the Center for Internet Security (CIS) Controls v8 Implementation Group 1 (IG1), which represents fundamental cybersecurity best practices for organizations of all sizes.
Privacy Compliance SALT maintains practices consistent with applicable privacy regulations including CCPA and state data breach notification laws. Our Privacy Policy describes how we collect, use, and protect personal data. We support individual rights including data access, deletion, and portability, and maintain data processing agreements (DPAs) with customers as appropriate.
Regular Assessments
- Policy Reviews: All security policies reviewed annually (minimum)
- Access Reviews: Quarterly reviews of all user access rights
- Incident Response Testing: Annual tabletop exercises
- Disaster Recovery Testing: Annual testing and review
- Vulnerability Assessments: Continuous scanning and monitoring
- Penetration Testing: Annual third-party testing program (establishing 2026)
Getting More Information
SALT provides security information through multiple engagement tiers to meet different evaluation needs:
Available Documentation
Freely Available ✓ This Security Program Overview ✓ Privacy Policy (public) ✓ Terms of Use (public) ✓ Certificate of Insurance (upon request)
Available Under NDA (for active customers and qualified prospects) ✓ Security policy summaries and excerpts ✓ Detailed security questionnaire responses ✓ Security review calls with Security Officer ✓ SOC 2 Type II report (when available) ✓ Penetration test executive summaries (when available)
Available Through Formal Engagement (for enterprise customers and financial institutions) ✓ Comprehensive security audit and assessment ✓ Full policy documentation access ✓ Ongoing compliance partnership and reporting ✓ Custom security documentation and attestations
Security Assessment Process
Standard Due Diligence (Recommended for Most Organizations) For customers and prospects conducting vendor risk assessments, SALT offers security review calls and targeted questionnaire responses. This tier is suitable for most compliance and due diligence needs.
- Timeline: 5-10 business days
- Requirements: Active business relationship or qualified prospect status
- Contact: Your sales representative or security@saltinsure.com
Comprehensive Security Audit (For Enterprise & Financial Institutions) For organizations requiring in-depth security audits, full policy documentation review, or ongoing compliance partnership, SALT provides comprehensive security assessment services. Due to the significant time and resource investment required, comprehensive audits are typically included as part of enterprise customer onboarding packages.
- Timeline: 2-4 weeks
- Requirements: Formal engagement discussion
- Contact: Your sales representative to discuss engagement scope
Contact Information
General Security Questions security@saltinsure.com
Sales & Engagement Discussions Contact your SALT sales representative or reach out through our website
Security Officer Jonathan Simmons — Available for qualified prospects under active evaluation
Document Information
- Maintained by: SALT Security Officer
- Review Frequency: Annually or as security program changes
- Version: 1.0
- Last Updated: October 4, 2025
For the most current information about SALT’s security program, please contact security@saltinsure.com.
This document provides a high-level overview of SALT Insure’s security program. It is intended for evaluation purposes and does not constitute a warranty, guarantee, or contractual commitment. Specific security commitments are documented in Master Service Agreements, Data Processing Agreements, and other contractual documents.