Failure to properly verify and enforce contractual or regulatory requirements costs tens of billions of dollars annually in preventable losses. Yet without specialized knowledge and custom tools the process is very difficult to execute, leading to high costs, poor outcomes and increased risk of exposure to third-party claims.
The Docutrax certificate of insurance (COI) tracking service combines proprietary cloud technology with insurance-licensed subject matter experts to protect leading national brands against unnecessary liability resulting from the actions of their tenants, vendors, franchisees or other third-parties with whom they contract. Our job is to make sure these third-parties play by the rules established by our customers.
The Docutrax products are offered as Software-as-a-Service (SaaS) solutions. These solutions are available to customers through purpose-built web applications and application programming interfaces (APIs).
Docutrax’s primary security focus is to safeguard our customers’ data. This is the reason that Docutrax has invested in the appropriate resources and controls to protect and service our customers. This investment includes the implementation of the dedicated Security and Risk Team. The Security and Risk Team is responsible for the Docutrax’s comprehensive security and risk management program and the governance process. The security team is focused on defining new and refining existing controls, implementing and managing the Docutrax security and risk framework as well as providing a support structure to facilitate effective risk management. Our Chief Technology Officer, who reports to the Chief Executive Officer, manages the Security and Risk Team.
We have developed our security framework using best practices in the SaaS industry. Our key security and risk objectives include:
To consistently deliver superior product and service to our customers while protecting the privacy and confidentiality of their information.
To ensure ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity.
To ensure that the customer information is never damaged, corrupted or changed in any inappropriate way.
To implement process and controls to align with current international regulatory and industry best practice guidance.
In order to support our business and ensure that we are enforcing reasonable practices to protect our corporate and customer data, the following series of security controls have been put in place. The controls are designed to allow for a high level of employee efficiency without artificial roadblocks, while minimizing risk for our customers. A subset of these controls is described below.
The information collected in our products is insurance data provided by insurance companies, insurance brokers, the account holder and its employees, as well as other third-party sources. Per the Docutrax Acceptable Use Policy, it is the responsibility of our customers to ensure that only appropriate non-sensitive information is being captured to support the service provided by our products. We prohibit our customers from collecting or capturing sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers or similar identifiers, or employment, financial or health information.
Customer interactions with the Docutrax product suite are encrypted in transit with Secure Sockets Layer (SSL) technology using industry standard encryption techniques with a 2,048 bit key. At rest, customer login information, such as passwords, is stored using industry standard password hashing mechanisms with a unique per-user salt.
We do not retain any credit card information within any Docutrax product.
Docutrax’s products leverage hosting services from Amazon Web Services (AWS), the premier hosting company of corporations worldwide. We rely on contractual security, privacy policies, and compliance programs of AWS to protect the physical infrastructure on which our data are stored. Our customers’ data are not shared with any third-parties and is never sold for any purpose.
Within our AWS data center, customer data are stored in multi-tenant storage systems accessible to our customers via only the Docutrax applications or APIs. No customer has direct access to the underlying application infrastructure. Docutrax leverages both structured (RDBMS) and unstructured (file-system) secure data repositories. Security is enforced through network and application access controls as well as permissions systems within each server and database.
Docutrax ensures data are replicated and backed up in multiple durable data-stores. The retention period depends on the nature of the data. Data are also replicated across data-center availability zones in order to provide fault-tolerance within an availability zone as well as scalability and responsive recovery, when necessary. In addition, the following policies have been implemented and enforced for data resilience:
Customer data will not be purged for active customers and until impractical, their data will remain in the Docutrax’s system indefinitely. Former customers’ data are removed from live databases upon a customer’s written request or after an established period following the termination of the customer agreement. In general, former customers’ data are purged 90 days after all customer relationships are terminated. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. Docutrax reserves the right to alter the data pruning period and process at its discretion in order to address technical, compliance, or statutory needs.
Docutrax outsources hosting of its product infrastructure Amazon Web Services, who provides high levels of physical and network security and maintain various levels of audited security, including SOC-2 compliance, and hardened infrastructure. Docutrax does not host any production software systems within its corporate offices.
This world-class data-center leverages the most advanced facilities infrastructure such as power, networking, and security. Facilities uptime is guaranteed to us from our providers to be between 99.95% and 100.00% and both providers ensure a minimum of N+1 redundancy to all power, network, and HVAC services. Access to these data-centers is highly restricted to both physical access as well as electronic access through public (Internet) and private (Intranet) networks in order to eliminate any unwanted interruptions in our service to our customers.
We leverage a multi-tier architecture with routers, firewalls, load-balancers, IDS, web- servers, application servers, database servers, and job servers in a standard configuration for a modern, cloud based, highly distributed system.
Docutrax employs various levels of network level security and policies to prevent any unauthorized or unintended access to the internal product infrastructure. These security controls include enterprise grade routers, firewalls, and Intrusion Detection Systems as well as comprehensive logging of all application access paths through web and application server logs.
Alerts for potential threats are escalated to identified administrators within Docutrax’s Technical Operations team. Servers within the product infrastructure are monitored for traffic spikes, port scanning, and other anomalous activities. Automated triggers facilitate triage of events and determination of any actions based on the situation. Traffic blocking rules exist and can be activated with the assistance of our data center providers for traffic identified to be potentially malicious in nature.
Docutrax has implemented an industry recognized Web Application Firewall (WAF). The WAF provides powerful security tools to defend Docutrax and our customers against increasingly frequent attacks (including Distributed Denial of Service). The WAF is configured with a combination of industry standard and custom rules that are capable of automatically enabling and disabling of appropriate controls to best protect our customers. These tools actively monitor real- time traffic at the application layer with ability to alert or deny malicious behavior based on behavior type and rate.
Docutrax performs a variety of vulnerability scanning activities against itself on a continuous basis. We perform vulnerability scanning continuously against our applications and static code analysis against source code repositories that are part of our applications. In addition, infrastructure vulnerability scanning is performed on a regular recurring basis.
Docutrax’s Acceptable Use Policy prohibits activities like spidering and vulnerability scanning, and those restrictions exist only to help ensure that customers have a positive Docutrax experience.
Quarterly penetration testing is performed by an independent security company to ensure adequate protection against intrusion. Reports are sent to and reviewed by senior management, with possible remediation plans developed and executed by responsible parties within Docutrax.
The Docutrax products enforce a uniform password policy. Customer portal accounts may be assigned finely grained permissions to the portal’s content and features.
Our API access is enabled through an API Key that is provided by the Docutrax system. All API requests are authenticated, and we do not allow anonymous access to the API.
Docutrax controls individual access to data within its production and corporate environment. A subset of Docutrax’s employees are granted access to production data based on their role in the company through role-based access controls (RBAC) or on an as-needed basis for quality assurance.
Engineers and members of the Operations team may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyze information for product investment decisions as well as product support. Access to the product infrastructure is limited by network access and user authentication and authorization controls. Access to networking infrastructure is strictly limited to members of the Technical Operations team and our data-center support team.
Customer Support, Services, and other customer engagement staff may request just in time access to customer portals on a same day, time-limited basis. Such access is used to enable our support teams to assist with customer questions and requests. Services team members have JITA access to customer portals in order to assist in setup, consulting engagements, and similar activities. All access requests, logins, queries, page views and similar information is logged.
Employee access is subject to a periodic review to ensure authorized systems are within limits of employees’ current roles.
Docutrax prohibits account and password sharing by multiple employees. System level credentials are limited to systems that do not support integrated security through LDAP or other Docutrax supported security protocols.
Designated employees authenticate logins to Docutrax product infrastructure using per-user SSL certificates via restricted server ports. Logs are maintained at the data center of all such actions, and all are related to a specific IP address.
All employee actions are audited with a permanent record kept of every transaction.
Docutrax maintains a business continuity plan focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on recovery strategies in the event of a business continuity issue.
Business continuity testing is part of Docutrax normal processing. Docutrax recovery processes are validated continuously through normal maintenance and support processes. We follow rapid deploy principles, so we create / destroy many server instances as part of our regular daily maintenance and growth. We use those exact same procedures in a recovery scenario, allowing us to practice our recovery process every day.
Docutrax primarily relies on infrastructure redundancy, real time replication and backups. Disaster recovery testing is part of Docutrax normal processing. Data are replicated and backed up in multiple durable data-stores across data-center providers to add an additional level of both geographically dispersed off-site as well as off-vendor protection. Web hosting and public content have a fully redundant web and database infrastructure in 2 diverse US regions. Backend applications are operated in 3 availability zones of our primary hosting provider.
Docutrax leverages world-class datacenter providers in order to provide highly resilient and secure infrastructure. Our outsourced data center facilities have numerous environmental hazard safeguards in place, and their continuity and recovery plans have been independently validated as part of the providers' SOC 2 Type II and ISO 27001 certifications. The infrastructure redundancy controls are outlined in the infrastructure section above. This infrastructure, coupled with the policies and procedures of our data center providers, provides a high level of continuity protection. Our data backup practices, outlined above, allow us to recover all critical information in a timely fashion.
Docutrax’s services are critical to our customers’ risk management programs. As such, we treat our web-hosting and data-capture platforms to be mission critical. We strive to always meet and exceed the stated service level objectives and provide coverage 24 x 7 x 365 in order to provide the highest level of service to our customer and provide transparency to any customer impacting situations. To meet our transparency objectives, we will provide updates upon any major system impact via our public site - https://docutrax.com - until the issue is resolved.
The Chief Technology Officer reviews all security-related incidents, either suspected or proven, and directs the appropriate action. We coordinate with affected customers using the most appropriate means, depending on the nature of the incident.
Docutrax’s security and risk management program is designed to protect all Docutrax products. Each product takes advantage of common application development security best practices as well as infrastructure security and high availability configurations.
Whether our products are free or paid, feature-rich or lightweight, Docutrax works continuously to maintain the privacy of data you entrust with us. Data you store in Docutrax products is yours. We put our security program in place to protect it and use those data only to provide the Docutrax service to you. We never share your data across customers and never sell it.
The information and data in this document (including any related communications) are not intended to create a binding or contractual obligation between Docutrax and any parties, or to amend, alter or revise any existing agreements between the parties.
Last Reviewed: March 2021