Security overview

BindCheck holds insurance policy documents and client data; the security posture is built for that.

The short version

  • All traffic is TLS; strict security headers (CSP, HSTS, frame-deny) on every response.
  • Org data is fully isolated — every query is scoped to your organization.
  • Passwords are salted-scrypt hashed; sessions are httpOnly cookies; API keys and reset tokens are stored only as SHA-256 hashes and shown once.
  • Rate limiting everywhere it matters: login attempts, signups, uploads, and the API (per-day and per-minute).
  • Uploads are validated by content (PDF magic bytes), size-capped, and stored under random names — user filenames never touch the filesystem.
  • Policies are processed as untrusted input end to end; the diff comes from a deterministic rules engine, never from instructions inside a document.
  • Nightly backups with retention; full activity audit log per organization.
  • Application containers run as a non-root user with Linux capabilities dropped.

Compliance and copyright

BindCheck stores ISO/AAIS form FACTS only — form number, edition date and a short description — and never reproduces copyrighted form wording. Your policy documents remain your source for exact language.

Reporting

Found something? Email security@bindcheck.com with details — security reports get priority handling.

Questions the docs don't answer? Email support@bindcheck.com — a human reads it.