Search in Trust Center…

Back to overview

Data security

Onesurance sensitive insurance data with enterprise-grade security. All data is processed exclusively within the EU (Azure West Europe) and protected with multiple layers of security, encryption, and strict access controls.

Core principles: Zero Trust Architecture • Defense in Depth • Continuous Monitoring

Encryption & Data Protection

Encryption Standards

Data at Rest:

  • AES-256 encryption for all stored data

  • Azure Key Vault with Hardware Security Modules (HSM)

  • Transparent Data Encryption (TDE) on databases

  • Fully encrypted backups with separate keys

  • Automatic key rotation (annual)

Data in Transit:

  • TLS 1.3 for all communication

  • Only strong cipher suites

  • All API calls over HTTPS (HTTP not allowed)

  • Encrypted traffic between all Azure resources

Extra Protection:

  • Field-level encryption for PII and financial data

  • Passwords: bcrypt hashing (never plain text)

  • Health data: Additional security in accordance with the GDPR

Architecture & Infrastructure

Processing layers

Low

Location

Security

Input

TLS 1.3 transit

Validation, sanitization, authentication required

Processing

Azure West Europe

Isolated environments, RBAC, AES-256 at rest

Output

API endpoints

OAuth 2.0, TLS 1.3, audit logging

AI/ML Components:

  • Risk Engine, Defend Agent, Churn Model, CLV, NBP

  • Every customer: Isolated processing environment

  • Data residency: 100% within the EU

Azure Data Center Security

Location: Western Europe (Amsterdam, Netherlands)

Infrastructure:

  • Biometric access controls

  • 24/7 physical surveillance

  • 99.99% availability SLA

  • ISO 27001, ISO 27017, ISO 27018 certified

  • GDPR & DORA compliant

Network:

  • Virtual Networks (VNets) with segmentation

  • Azure Firewall + Network Security Groups

  • DDoS Protection Standard

  • Private endpoints (no public exposure for databases)

  • Web Application Firewall (WAF) for APIs

Access Control

Role-Based Access Control (RBAC)

Principle: Least Privilege - minimum necessary access

Checks:

  • Quarterly access reviews

  • Just-In-Time (JIT) elevated access

  • Automated onboarding/offboarding

  • Individual user accounts (no shared credentials)

Multi-Factor Authentication (MFA)

Required for:
✓ All employees and administrators (100% enforcement)
✓ Production access
✓ Admin accounts (additional PIM controls)

Methods: Authenticator apps (TOTP), hardware tokens, biometrics

Identity Management

Platform: Azure Active Directory (Entra ID)

Features:

  • Single Sign-On (SSO) centralized identity management

  • Conditional access (location, device, risk-based)

  • Privileged Identity Management (PIM) for administrators

  • API keys with short expiration and rotation

Monitoring & Detection

24/7 Security Operations

Monitoring:

  • Platform: Azure Monitor + Azure Sentinel (SIEM)

  • Coverage: All resources, applications, network, user activity

  • Response tijd: <15 minuten voor kritieke alerts

  • Logging retention: 1-7 years

Detected Events:

  • Failures in authentication

  • Unauthorized access attempts

  • Data exfiltration attempts

  • Malware/virus detection

  • Privilege escalation attempts

  • Anomalous behavior (UEBA)

Vulnerability & Patch Management

Scanning & Testing

Type

Frequency

Tools

Vulnerability scans

Weekly

Azure Defender, Qualys

Penetration tests

Annually

External ethical hackers

Dependency scans

Continuous

GitHub Dependabot

Code analysis (SAST)

Per commit

Automated

Patch Management SLAs

Response times:

  • Kritiek: <48 uur

  • Hoog: <72 uur

  • Gemiddeld: <30 dagen

  • Laag: <90 dagen

Process: Testing in staging → Controlled rollout → Rollback procedure available

Secure Development

Security Development Lifecycle

Development:

  • Threat modeling for new features

  • Secure coding standards (OWASP)

  • Mandatory peer code reviews

  • Static (SAST) and Dynamic (DAST) analysis

  • No credentials in code (Azure Key Vault)

API Security:

  • OAuth 2.0 / JWT authentication

  • Rate limiting (DDoS protection)

  • Strict input validation

  • API versioning and deprecation policy

Data Classification

Classification Levels

Level

Examples

Security

Public

Marketing materials

No restrictions

Internal

Company info

Access control, encryption

Confidential

Customer data

MFA, encryption, audit logs

Restricted

PII, financial, health

Additional approval, field-level encryption

Data Lifecycle

Minimization: Only collect what is necessary
Retention: Automatic deletion after retention period
Pseudonymization: Separation of identifiers where possible
Destruction: Cryptographic erasure within 30 days after retention

Incident Response

Data Breach Response

Timeline:

  • Detection: Real-time automated alerts

  • Assessment: Within 4 hours

  • Containment: Immediate isolation

  • Notification: AP within 72 hours (if required), high-risk individuals involved

Classification:

  • P1 (Critical): Data breach, ransomware, system compromise

  • P2 (High): Unauthorized access, vulnerability exploitation

  • P3 (Medium): Policy violations, suspicious activity

  • P4 (Low): Informational, no direct impact

→ Full details: Incident Response Plan

Compliance & Commitments

What You Can Expect

✓ Zero Trust Architecture
✓ Meerdere beveiligingslagen (Defense in Depth)
✓ 24/7 security monitoring
✓ <15 minuten response tijd
✓ Regelmatige security updates
✓ Transparante communicatie
✓ AVG, DORA, ISO 27001 compliant

Your Responsibilities

  • Enable strong passwords and MFA

  • Revoke access upon termination of employment

  • Classifying sensitive data correctly

  • Report suspicious activity

  • Security awareness training for users

Contact

Security questions and incidents:

📧 Email: onesurance
📱 24/7 Hotline: +31 (6) 13270144