TRUST CENTER - DATA SECURITY

Onesurance
Last updated: December 2024

Our Approach to Data Security

At Onesurance , data security Onesurance built into every layer of our platform. We process sensitive insurance data for our customers, and we treat this data with the highest level of protection. Our security architecture utilizes enterprise-grade cloud infrastructure combined with multiple layers of defense, continuous monitoring, and strict access controls.

All customer data is processed exclusively within the European Union (Azure West Europe region), ensuring compliance with EU data location requirements and low latency for our European insurance customers.

Data processing architecture

Our platform architecture is designed with security-by-design principles:

Input Layer
• Data sources: Excel, APIs, PDFs, databases
• Input validation: All incoming data is validated and sanitized
• Encryption: TLS 1.3 for all data in transit
• Authentication: Required for all data uploads

Processing Layer (Azure West Europe)
• Location: Azure West Europe data centers only (Netherlands)
• Processing components:

• Risk_

Engine: Risk calculations and analyses

• Defend Agent: AI-driven customer service and claims processing

• Churn Model: Predictive analytics for customer retention

• Customer Lifetime Value (CLV): Value calculations

• Next Best Product (NBP): Product recommendations
  • Isolation: Each customer has an isolated processing environment
  • Encryption at rest: AES-256 for all stored data
  • Access control: Role-Based Access Control (RBAC) on all resources

Output Layer
• API endpoints: RESTful APIs with OAuth 2.0 authentication
• Data exports: Encrypted via TLS 1.3
• Reports: Generated on demand, not stored permanently
• Monitoring: All output is logged for audit trails

Encryption

Data at Rest
• Algorithm: AES-256 (Advanced Encryption Standard)
• Key management: Azure Key Vault with Hardware Security Modules (HSM)
• Database encryption: Transparent Data Encryption (TDE) on all databases
• File storage: Server-Side Encryption (SSE) for blob storage
• Backups: Fully encrypted with separate encryption keys
• Key rotation: Automatically annually, or on-demand in the event of a security incident

Data in Transit
• Protocol: TLS 1.3 (latest transport layer security version)
• Minimum: TLS 1.2 supported for legacy compatibility
• Cipher suites: Only strong ciphers, no outdated algorithms
• Certificate management: Automatic rotation via Azure
• API communication: All API calls over HTTPS, HTTP not allowed
• Internal traffic: Encrypted between all Azure resources

Encryption of Sensitive Fields
• Personally identifiable information (PII): Additional field-level encryption
• Financial data: Separately encrypted with dedicated keys
• Health data: Additional protection in accordance with GDPR special categories
• Passwords: Never stored, hashed with bcrypt (cost factor 12)

Access Control

Role-Based Access Control (RBAC)
• Principle

e: Least privilege - minimum necessary access
• Roles defined by:

• Position (developer, operations, support, admin)

• Data classification level (public, internal, confidential, restricted)

• Resource type (databases, APIs, logs, configuration)
  • Review frequency: Quarterly access reviews
  • Onboarding/offboarding: Automated via HR system
  • Temporary access: Time-limited elevated access via Just-In-Time (JIT)

Multi-Factor Authentication (MFA)
• Required for: All employees and administrators
• Methods: Authenticator apps (TOTP), hardware tokens, biometrics
• Enforcement: Technically enforced, no exceptions
• Backup codes: Securely stored for emergency access
• Customer access: MFA available and encouraged for customer portals

Identity & Access Management (IAM)
• Directory: Azure Active Directory (Azure AD / Entra ID)
• Single Sign-On (SSO): Central identity management
• Conditional access: Context-aware access policy (location, device, risk)
• Privileged Identity Management (PIM): Additional controls for admin accounts
• Service accounts: Minimally used, regularly rotated credentials

Logical Access Controls
• Database access: Individual user accounts, no shared credentials
• Application access: API keys with short expiration, rotatable
• Infrastructure access: Bastion hosts, no direct SSH/RDP access
• Production access: Strictly limited, logged, and monitored
• Development/test: Separate from production, anonymized data

Physical & Network Security

Microsoft Azure Datacenter Security
• Location: Azure West Europe region (Amsterdam, Netherlands)
• Physical access: Biometric controls, 24/7 surveillance, layered security
• Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3
• Availability: 99.99% SLA with Availability Zones
• Compliance: GDPR, DORA compliant infrastructure

Network architecture
• Segmentation: Virtual networks (VNets) with isolated subnets
• Firewalls: Azure Firewall and Network Security Groups (NSGs)
• DDoS protection: Azure DDoS Protection Standard
• Load balancing: Geographically distributed for high availability
• Private endpoints: No public internet exposure for databases
• VPN/ExpressRoute: Available for enterprise customers

Intrusion Detection & Prevention
• Azure Security Center: Continuous monitoring of resources
• Network Watcher: Traffic analysis and anomaly detection
• Application Gateway WAF: Web Application Firewall for APIs
• Threat intelligence: Microsoft threat feeds integrated
• Automated response: Security playbooks for common threats

Security monitoring

24/7 Security Operations
• Monitoring tool: Azure Monitor + Azure Sentinel (SIEM)
• Coverage: Alle resources, applicaties, netwerk traffic, user activiteit
• Alerting: Real-time waarschuwingen voor security events
• Response tijd: <15 minuten voor kritieke alerts
• Escalatie: Gedefinieerde procedures en contactpersonen
• Logging retention: Minimum 1 jaar, tot 7 jaar voor compliance

Security Event Categories
• Authentication failures: Failed login attempts, MFA failures
• Unauthorized access attempts: Access to prohibited resources
• Data exfiltration: Unusual data transfers
• Malware detection: Virus/malware attempts
• Configuration changes: Unauthorized changes to systems
• Privilege escalation: Attempts to gain elevated access
• Anomalous behavior: Abnormal user behavior (UEBA)

Audit Logging
• Scope: All user actions, system events, data access
• Immutability: Logs cannot be modified or deleted
• Encryption: Logs are encrypted at rest and in transit
• Access controls: Only the security/compliance team has access
• Compliance: Complies with GDPR, DORA logging requirements
• Search & analysis: Central logging platform with query capabilities

Vulnerability Management

Vulnerability Scanning
• Frequency: Weekly automated scans
• Tools: Azure Defender, Qualys, Nessus
• Scope: All production and development environments
• Severity classification: CVSS v3.1 scoring
• False positive management: Review and validation process
• Metrics: Tracked and reported to management

Patch Management
• Operating systems: Automated patches within SLA

• Critical: <48 uur

• High: <72 uur (3 dagen)

• Medium: <30 dagen

• Low: <90 dagen
  • Applications: Monitored voor security updates
  • Dependencies: Continuous monitoring via GitHub Dependabot
  • Testing: Patches eerst getest in staging environment
  • Rollback procedure: Gedefinieerd voor problematische patches

Penetration Testing
• Frequency: Annually by external ethical hackers
• Scope: Full-stack testing (application, APIs, infrastructure)
• Methodology: OWASP Testing Guide, PTES
• Last test: [Date]
• Critical findings: All mitigated for production
• Reporting: Summary available for enterprise customers

Secure Development Practices

Security Development Lifecycle (SDL)
• Planning: Threat modeling for new features
• Design: Security architecture reviews
• Development: Secure coding standards (OWASP)
• Testing: Automated security tests in CI/CD
• Deployment: Security gates for production releases
• Operations: Continuous monitoring and feedback loop

Code Security
• Static Analysis (SAST): Automated with every commit
• Dynamic Analysis (DAST): Weekly scans of running applications
• Dependency scanning: Real-time alerts for vulnerable libraries
• Code reviews: Mandatory peer review with security checklist
• Secrets management: No credentials in code, use of Azure Key Vault
• Git security: Branch protection, signed commits, access controls

API Security
• Authentication: OAuth 2.0 / JWT tokens
• Authorization: Fine-grained permissions per endpoint
• Rate limiting: DDoS protection and abuse prevention
• Input validation: Strict schema validation for all inputs
• Output encoding: Prevention of injection attacks
• API versioning: Backward compatible changes, deprecated endpoints
• Documentation: Security requirements in API specs

Data Classification & Handling

Classification Levels
• Public: Non-sensitive information, freely shareable
• Internal: Company information, not for external distribution
• Confidential: Customer data, contractual information
• Restricted: Personal data (GDPR), financial data, health data

Handling Procedures Per Level
• Public: No special restrictions
• Internal: Access control, encryption at storage
• Confidential: MFA required, encryption at rest and in transit, audit logging
• Restricted: Additional approvals, field-level encryption, extensive logging

Data Minimization
• Principle: Only collect what is necessary
• Retention: Automatic deletion after retention period
• Pseudonymization: Where possible, separation of identifiers
• Anonymization: For analytics and testing, irreversible

Data destruction
• Method: Cryptographic erasure (key destruction) + secure delete
• Media destruction: Certified destruction for hardware (if applicable)
• Verification: Audit trail of destruction events
• Timeline: Within 30 days after the end of the retention period

Incident Response

See also: Template 06 - Incident Response for full details

Data Breach Response
• Detection: Automated alerts + security monitoring
• Assessment: Within 4 hours of detection
• Containment: Immediate isolation of affected systems
• Eradication: Root cause analysis and remediation
• Recovery: Controlled restoration of services
• Notification:

• Supervisory authority (AP): Within 72 hours if required

• Parties involved: Without undue delay if high risk

• Customers: Proactive communication and updates

Security Incident Classification
• P1 (Critical): Data breach, ransomware, system compromise
• P2 (High): Unauthorized access attempts, vulnerability exploitation
• P3 (Medium): Policy violations, suspicious activity
• P4 (Low): Informational, no direct security impact

Customer Commitments

Wat U Kunt Verwachten
✓ Zero Trust Architecture: Verify explicitly, least privilege, assume breach
✓ Defense in Depth: Meerdere beveiligingslagen, geen single point of failure
✓ Continuous Monitoring: 24/7 security operations center
✓ Rapid Response: <15 minuten response tijd voor kritieke incidents
✓ Proactive Updates: Regular security patches en updates
✓ Transparency: Open communicatie over security posture
✓ Compliance: Voldoen aan AVG, DORA, en ISO 27001 requirements

Your Responsibilities
• Account security: Enable strong passwords and MFA
• Access management: Revoke access promptly when employees leave the company
• Data classification: Label sensitive information correctly
• Incident reporting: Report suspicious activity immediately
• Security awareness: Train your own users

Contact

For security questions and incidents:
• Security Team: onesurance
• 24/7 Security Hotline: [Phone number for critical incidents]
• Responsible Disclosure: onesurance

Last updated: December 2024
Onesurance .V. | Breda, Netherlands | Chamber of Commerce: 87521997