Security overview
BindCheck holds insurance policy documents and client data; the security posture is built for that.
The short version
- All traffic is TLS; strict security headers (CSP, HSTS, frame-deny) on every response.
- Org data is fully isolated — every query is scoped to your organization.
- Passwords are salted-scrypt hashed; sessions are httpOnly cookies; API keys and reset tokens are stored only as SHA-256 hashes and shown once.
- Rate limiting everywhere it matters: login attempts, signups, uploads, and the API (per-day and per-minute).
- Uploads are validated by content (PDF magic bytes), size-capped, and stored under random names — user filenames never touch the filesystem.
- Policies are processed as untrusted input end to end; the diff comes from a deterministic rules engine, never from instructions inside a document.
- Nightly backups with retention; full activity audit log per organization.
- Application containers run as a non-root user with Linux capabilities dropped.
Compliance and copyright
BindCheck stores ISO/AAIS form FACTS only — form number, edition date and a short description — and never reproduces copyrighted form wording. Your policy documents remain your source for exact language.
Reporting
Found something? Email security@bindcheck.com with details — security reports get priority handling.
Questions the docs don't answer? Email support@bindcheck.com — a human reads it.