Enterprise security built for regulated insurance operations
AES-256 encryption, enterprise security standards, immutable audit trails, and multi-region data residency. Regure is built from the ground up to meet the security and compliance requirements of carriers, TPAs, and MGAs.
Security is not a feature. It's the foundation.
When you process insurance claims, you handle sensitive medical records, financial documents, personally identifiable information, and proprietary underwriting data. A security breach doesn't just expose data — it destroys trust, triggers regulatory penalties, and puts your license at risk.
Regure was built for regulated industries where security and compliance are not negotiable. Every architectural decision, every integration point, and every line of code is designed with encryption, access control, and audit logging as foundational requirements — not afterthoughts.
This page provides a comprehensive overview of Regure's security architecture, compliance certifications, data residency options, and operational security practices. If you need additional documentation for your security review or procurement process, contact our team for detailed technical specifications.
Certifications & Standards
ISO/IEC 27001:2022
Information Security Management
Certificate No. 25MEQUG53 | Valid through October 2028
ISO 9001:2015
Quality Management
Certificate No. 25MEQUL53 | Valid through October 2028
SOC 2 Type II
In Progress
Security documentation available to customers under NDA during procurement reviews.
HIPAA
Architecture designed to support HIPAA compliance for processing protected health information. BAA available upon request.
AES-256 encryption for all data at rest and in transit
Every document, message, and data field in Regure is encrypted using industry-standard AES-256 encryption. This applies whether data is stored in our databases, transmitted between services, or sent over the network to your users.
Encryption at Rest
All documents stored in Regure are encrypted at rest using AES-256-GCM (Galois/Counter Mode). This includes uploaded files, generated reports, message attachments, and system logs. Encryption keys are managed using AWS Key Management Service (KMS) with automatic key rotation every 90 days.
Database fields containing personally identifiable information (PII), protected health information (PHI), and financial data are encrypted at the field level before being written to the database. This ensures that even if an attacker gains access to database backups, they cannot read sensitive information without the encryption keys.
Encryption in Transit
All network communication uses TLS 1.3 with perfect forward secrecy. This applies to API requests, web application traffic, and inter-service communication within our infrastructure. We do not support older TLS versions or insecure cipher suites.
All communications are protected with AES-256 encryption at rest and TLS 1.3 in transit. Organisation-managed encryption keys ensure authorised compliance teams can access communications for regulatory review when required.
Key Management
Encryption keys are stored in AWS KMS and are never exposed to application code or logged. Access to encryption keys is controlled via IAM policies and requires multi-factor authentication. Key usage is logged for audit purposes.
For Enterprise clients requiring additional control, we support customer-managed encryption keys (CMEK) where you maintain control of the root encryption key in your own AWS KMS instance. This gives you the ability to revoke Regure's access to your data at any time.
Role-based access control with granular permissions
Not everyone should see everything. Regure enforces strict role-based access control (RBAC) to ensure users only access documents and data relevant to their role.
System Administrator
Full access to all documents, workflows, users, and system configuration. Can assign roles, configure integrations, and access audit logs. Typically reserved for IT leadership.
Claims Manager
View and edit all claims across teams. Configure workflows, run reports, and reassign claims. Access to performance dashboards and SLA monitoring.
Senior Adjuster
Handle assigned claims and approve settlements up to configured thresholds. Access to secure messaging, e-signatures, and document uploads.
Adjuster
Process assigned claims, upload documents, and communicate with claimants. Cannot approve settlements above threshold or reassign claims without manager approval.
Field Adjuster
Mobile access to assigned claims for on-site investigations. Can upload photos, documents, and notes. Limited access to historical claims and team data.
Compliance Officer
Read-only access to all claims and full access to audit logs. Can run compliance reports, export data for regulatory requests, and configure retention policies.
External Contractor
Limited access to specific claims only. Cannot see other claims, cannot access team data, and all actions are logged separately for contractor audit trails.
Claimant Portal User
View their own claim status, upload documents, and communicate with their assigned adjuster. No access to other claimants' data or internal workflows.
Custom Roles
Enterprise clients can define custom roles with granular permissions tailored to their organizational structure and approval hierarchies.
Immutable audit trails with cryptographic verification
Every action on every document is logged in tamper-evident audit trails. When a regulator asks "who accessed this file and when?" — you answer in seconds, not days.
What gets logged
Regure logs every action that touches a document or claim file. This includes uploads, downloads, views, edits, shares, assignments, approvals, and deletions. Each log entry captures the user ID, timestamp, IP address, action type, and affected resources.
Audit logs are written to immutable storage and cannot be modified or deleted by any user, including system administrators. Logs are retained according to your jurisdiction's requirements — typically 7 years for insurance operations.
Merkle tree verification
Audit logs are organized in a Merkle tree structure where each log entry is cryptographically hashed and linked to previous entries. This creates a tamper-evident chain where any modification to historical logs is immediately detectable.
When you export audit logs for regulatory review, Regure includes cryptographic proofs that verify the integrity of the entire log chain. Auditors can independently verify that logs have not been altered since they were created.
All audit logs are retained for 7+ years and can be exported in JSON, CSV, or PDF format for regulatory reviews. Learn more about audit trail capabilities.
Multi-region hosting with data sovereignty guarantees
Insurance regulation is local. Regure deploys across multiple AWS regions to ensure your data stays where your regulators require.
United States
AWS Region: us-east-1 (N. Virginia), us-west-2 (Oregon)
Compliance: HIPAA, enterprise security standards, state insurance regulations
Use case: US carriers, TPAs, MGAs processing health, auto, and property claims with PHI and PII
European Union
AWS Region: eu-central-1 (Frankfurt), eu-west-1 (Ireland)
Compliance: GDPR Article 17 (Right to Erasure), IDD disclosures, EU AI Act
Use case: EU insurers requiring data sovereignty and GDPR compliance for underwriting and claims
United Kingdom
AWS Region: eu-west-2 (London)
Compliance: FCA Consumer Duty, UK GDPR, Lloyd's Market requirements
Use case: UK insurers, Lloyd's syndicates, and London Market participants
Middle East
AWS Region: me-south-1 (Bahrain)
Compliance: SAMA (Saudi Arabia), CBUAE (UAE), Takaful requirements
Use case: GCC insurers, Takaful operators, and reinsurance companies operating in MENA region
Data residency is configured during initial setup and cannot be changed without explicit customer approval. For Enterprise clients requiring dedicated regional deployment or private cloud hosting, contact our team for custom infrastructure options.
Built to meet insurance industry compliance requirements
HIPAA (United States)
Regure is designed to support HIPAA compliance for processing protected health information (PHI) in health insurance claims. BAA available upon request. All PHI is encrypted at rest and in transit, access is logged, and retention policies enforce HIPAA record-keeping requirements.
FCA Consumer Duty (UK)
Prove compliance with FCA Consumer Duty through automated customer outcome monitoring. Regure logs all customer interactions, decision points, and policy changes — giving you complete evidence trails for FCA reviews. Built-in reporting shows how customer outcomes are tracked and measured.
GDPR (European Union)
Full GDPR compliance including automated Right to Erasure (Article 17), data portability, and consent management. EU data stays in EU regions. Customers can configure automated data deletion policies and export customer data in machine-readable formats for regulatory requests.
SAMA (Saudi Arabia)
Regure complies with SAMA's digital insurance guidelines including data localization requirements, cybersecurity controls, and audit trail mandates. Deployments for Saudi insurers use Bahrain (me-south-1) or dedicated regional deployment to meet data residency rules.
CBUAE (UAE)
Supports CBUAE Open Finance API integration for insurance data sharing. Implements CBUAE's cybersecurity framework including multi-factor authentication, encryption standards, and incident response procedures required for UAE-licensed insurers.
ISO/IEC 27001:2022 Certified
Regure holds ISO/IEC 27001:2022 certified security controls (Cert. No. 25MEQUG53, valid through October 2028) and ISO 9001:2015 quality management certification (Cert. No. 25MEQUL53). AES-256 encryption, role-based access, immutable audit trails, and continuous monitoring. SOC 2 Type II in progress.
24/7 security monitoring and incident response
Continuous Monitoring
Our Security Operations Center (SecOps) monitors Regure infrastructure 24/7 for anomalies, unauthorized access attempts, and performance issues. Automated alerts trigger investigation workflows for suspicious activity.
Penetration Testing
Annual third-party penetration testing by certified ethical hackers. We also run continuous automated vulnerability scans and address critical vulnerabilities within 48 hours of discovery.
Incident Response
Documented incident response procedures aligned with NIST Cybersecurity Framework. Customers are notified within 24 hours of any security incident affecting their data, with detailed root cause analysis provided within 72 hours.
Employee Security Training
All Regure employees complete security awareness training during onboarding and annual refresher courses. Engineers with production access undergo additional training on secure coding, data handling, and incident response.
Disaster Recovery
Automated backups every 6 hours with 30-day retention. Cross-region replication ensures data can be restored even in catastrophic regional failures. RTO (Recovery Time Objective) of 4 hours, RPO (Recovery Point Objective) of 6 hours.
Business Continuity
Multi-region active-active deployment ensures Regure remains operational even if an entire AWS region goes offline. 99.9% uptime SLA for Enterprise customers backed by service credits.
Need detailed security documentation for your procurement review?
Request our security documentation, architecture diagrams, and compliance documentation for your security team.