Your vendor data is handled with care
COIPulse processes sensitive insurance documents on your behalf. We take that responsibility seriously — here's exactly how we protect your data.
How your data is protected
Security is built into every layer of the COIPulse platform — not bolted on after the fact.
Encryption at rest
All data stored on COIPulse infrastructure — including uploaded COI documents, extracted data, and account information — is encrypted using AES-256.
Encryption in transit
All data transmitted between your browser and COIPulse is encrypted using TLS 1.2 or higher. We enforce HTTPS and reject insecure connections.
Organization isolation
Each COIPulse organization is a fully isolated data tenant. Row-level security ensures your vendors, COIs, and compliance configurations are never accessible to other customers.
Role-based access control
Within your organization, you control who can view, edit, or administer your compliance data. Admin, member, and viewer roles let you enforce least-privilege access.
Secure infrastructure
COIPulse runs on managed cloud infrastructure with automatic patching, private networking, and access logs. Production database access is restricted to authorized engineers only.
SOC 2-ready audit trail
Every compliance action is immutably logged with timestamps, user attribution, and IP addresses. COI uploads, compliance status changes, extraction results, reminder sends, team changes, settings modifications, and login events are all recorded in a tamper-evident audit trail accessible to organization admins.
AI processing transparency
COIPulse uses OpenAI's API to extract structured data from COI documents. We know you deserve to understand exactly what that means for your data.
What gets sent to OpenAI
When you upload a COI, the document image or text is sent to OpenAI's API for processing. This includes the visual content of the PDF — insurer names, policy numbers, coverage limits, dates, and insured business information contained in the document.
What OpenAI does not retain
COIPulse has enabled OpenAI's API data opt-out policy. This means your COI content is processed in real time to return extracted fields and is not used by OpenAI to train future models. OpenAI may retain request/response data for up to 30 days for abuse monitoring, after which it is deleted. See OpenAI API Data Usage Policies.
What COIPulse stores
COIPulse stores: (1) the original COI document file, (2) the extracted structured data (policy limits, dates, coverage types), and (3) compliance scores and audit history. All of this is stored in your organization's isolated data partition and is accessible only to your team.
AI accuracy and human review
Our AI extraction achieves 99.2% accuracy on standard ACORD 25 forms. For documents where confidence is below our threshold, the system flags fields for manual review. We recommend reviewing AI-extracted data before making critical compliance decisions, particularly for non-standard or handwritten certificates.
SOC 2 readiness
COIPulse is actively working toward SOC 2 Type II certification. Our security controls are designed to meet SOC 2 Trust Services Criteria, including:
- •Security — logical and physical access controls
- •Availability — monitored uptime and incident response
- •Confidentiality — data classification and access restrictions
- •Processing Integrity — accurate and complete data processing
SOC 2-ready audit trail
Every compliance action is immutably logged with timestamps, user attribution, and IP addresses. The full audit trail is filterable, searchable, and exportable to CSV for external auditor review.
Enterprise customers who require a current security report or vendor questionnaire may contact security@coipulse.com.
Data residency
COIPulse infrastructure is hosted on AWS in the US East (N. Virginia) region by default. Your organization's documents, vendor records, and compliance data are stored and processed in this region.
AI document processing (OpenAI) involves data leaving our infrastructure briefly for extraction. OpenAI operates data centers in the United States. See the Privacy Policy for details on third-party data handling.
Enterprise plans with specific data residency requirements (EU, specific state compliance) — contact us to discuss options.
Incident response
We take security incidents seriously and have a defined process for identifying, containing, and disclosing issues.
Detection and containment
We monitor infrastructure continuously for anomalous behavior. Upon detecting a potential incident, we immediately isolate affected systems and begin root cause analysis.
Assessment and remediation
We determine the scope, impact, and affected data. We prioritize restoring service integrity and patching the vulnerability before broader disclosure.
Customer notification
For incidents involving unauthorized access to customer data, we notify affected customers within 72 hours of confirming the breach, consistent with GDPR requirements and applicable US state data breach notification laws.
Post-incident review
We conduct a post-incident review to identify root causes, implement preventive controls, and update our security posture. Learnings are incorporated into our ongoing security program.
Responsible disclosure policy
We welcome security researchers who act in good faith to help us keep COIPulse secure. If you discover a potential security vulnerability, please follow these guidelines:
How to report a vulnerability
Email a detailed description of the vulnerability to security@coipulse.com. Include: the affected URL or component, steps to reproduce, potential impact, and any proof-of-concept (if applicable).
Our commitments to researchers
- •Acknowledge receipt within 2 business days
- •Provide an initial severity assessment within 5 business days
- •Work to resolve confirmed vulnerabilities promptly
- •Credit researchers in our security acknowledgments (if desired)
- •Not pursue legal action against good-faith researchers
Out of scope
- •Social engineering attacks against COIPulse staff or customers
- •Physical security attacks
- •Denial-of-service attacks
- •Automated scanning without prior coordination
Security questions?
Our security team is available to answer questions about our controls, provide documentation for your vendor review process, or discuss enterprise security requirements.