Trust · Security · Compliance

Auditable AI for regulated insurance.

Every carrier engagement inherits FPT Software's certified control environment and layers insurance-specific safeguards on top — SOC 2, ISO 27001, HIPAA, GDPR, EU AI Act, NAIC Model Bulletin, and SR 11-7 model risk. This page is maintained by FPTInsure to answer common security, privacy, and regulatory questions from carriers, reinsurers, and their auditors.

This page describes controls, alignment programs, and evidence available on request. It is not a certification, an audit opinion, or legal advice. Certifications listed as "FPT Software" are held by the parent delivery organization; engagement-level scope, responsibilities, and evidence are agreed in contract.

Shared responsibility

FPTInsure delivery

Secure SDLC, engineer identity & access, model development & validation artifacts, threat modeling, delivery-center controls under ISO 27001 + SOC 2.

Cloud & platform (AWS · Azure · GCP)

Physical security, hypervisor, region isolation, and platform certifications (SOC 2, ISO 27001/27017/27018, HIPAA-eligible services, C5, IRAP).

Carrier (customer)

Data classification, lawful basis, retention decisions, business-user access, and regulatory filings. We provide the artifacts; the carrier remains the controller.

Frameworks & regulations

What each framework requires and how FPTInsure applies it to insurance workloads.

LiveAlignedIn-flight

SOC 2 Type II

Security, Availability, Confidentiality
live
Delivered under FPT Software attestation

What: Independent audit of security, availability, and confidentiality controls over a 12-month observation window.

How we apply it: Client engagements inherit FPT Software's SOC 2 Type II control environment for delivery centers, identity, endpoint, change management, and vendor management. Engagement-specific controls (tenant isolation, data handling, key custody) are documented per program.

Evidence: Report available under NDA via the strategy team.

ISO/IEC 27001

Information Security Management
live
Certified — FPT Software

What: Certified information security management system covering policy, risk, asset, access, cryptography, operations, supplier and incident domains.

How we apply it: Delivery organization operates under the certified ISMS. Insurance engagements layer sector-specific controls: PII/PHI classification, claim-file handling, and reinsurance data-room segregation.

Evidence: Certificate + statement of applicability shared with procurement.

ISO/IEC 27701

Privacy Information Management
aligned
Aligned

What: Privacy extension to 27001 covering controller and processor obligations for personal data.

How we apply it: Engagement DPIAs, RoPA entries, and processor obligations are modeled on 27701. Applied to policyholder, claimant and broker-portal data flows.

Evidence: DPIA templates and processor addenda provided at contracting.

HIPAA

US health data (accident & health, workers' comp, disability)
live
BAA-ready

What: US Health Insurance Portability and Accountability Act — administrative, physical and technical safeguards for PHI.

How we apply it: Business Associate Agreements executed for A&H, workers' comp, and disability carriers. PHI is segregated in dedicated tenants with encryption at rest (AES-256) and in transit (TLS 1.2+), least-privilege IAM, and audit logging retained per BAA terms.

Evidence: Sample BAA, HIPAA security risk assessment, and control matrix on request.

GDPR + UK GDPR

EU / UK personal data
live
Live processor obligations

What: General Data Protection Regulation — lawful basis, data subject rights, cross-border transfers, breach notification.

How we apply it: EU personal data stays in EU regions by default. Standard Contractual Clauses (2021) + transfer impact assessments where cross-border processing is required. DSAR workflow, 72-hour breach notification runbook, and appointed EU representative through FPT Europe.

Evidence: DPA, SCCs, subprocessor list, and TIA available.

EU AI Act

High-risk AI systems in insurance
inflight
Alignment program — enforcement phasing through 2026-2027

What: EU regulation classifying insurance pricing, underwriting for life & health, and fraud/claims-decisioning AI as high-risk with obligations on data governance, transparency, human oversight, robustness and post-market monitoring.

How we apply it: Every high-risk AI Factory build ships with: a model card, data-governance record, human-in-the-loop design, logging suitable for post-market monitoring, conformity-assessment-ready technical documentation (Annex IV), and a fundamental-rights impact assessment where required.

Evidence: Model card + Annex IV technical file template provided per use case.

NAIC Model Bulletin on AI

US state insurance regulators
live
Aligned

What: NAIC Model Bulletin on the Use of AI Systems by Insurers — governance, risk management, third-party AI oversight, testing for bias, and documentation adopted (with variations) across US states.

How we apply it: AI governance framework mirrors the bulletin: board-visible AIS policy, inventory, pre-deployment testing (including disparate impact), ongoing monitoring, complaint handling, and third-party AI vendor due diligence — delivered as artifacts the carrier can put in front of a market conduct exam.

Evidence: Governance framework and testing report templates on request.

SR 11-7 / OCC 2011-12

US model risk management
live
Aligned

What: Federal Reserve / OCC supervisory guidance on Model Risk Management — development, implementation, use, validation, and governance of models.

How we apply it: Every deployed model gets a development document, independent validation (effective challenge), ongoing performance monitoring, an inventory entry, and defined ownership. Applied to pricing, reserving, catastrophe, and AI-driven underwriting/claims models.

Evidence: Model documentation and validation report samples provided under NDA.

PCI DSS 4.0

Cardholder data (premium payment flows)
aligned
Aligned via tokenized processors

What: Payment Card Industry Data Security Standard for storing, processing, or transmitting cardholder data.

How we apply it: We do not store PAN. Premium collection uses tokenized processors (Stripe / Adyen / carrier PSP of record); scope reduction is documented per deployment.

Evidence: Scope diagram and SAQ approach provided per engagement.

DORA

EU financial entities (reinsurance & (re)insurer ICT)
inflight
Alignment program

What: Digital Operational Resilience Act — ICT risk management, incident reporting, resilience testing, and third-party ICT provider oversight for EU financial entities.

How we apply it: Register of information for ICT services, contractual clauses per the DORA-mandated template, threat-led penetration testing support, and incident classification aligned to the DORA taxonomy.

Evidence: DORA contractual addendum and register-of-information template available.

Data residency

Where carrier data lives, and how cross-border processing is contracted. Residency is chosen per engagement — the defaults below cover most deployments.

RegionZonesResidency defaultPrimary use casesCross-border
European UnionFrankfurt, Dublin, ParisEU personal data stays in EU by defaultEU carriers, Lloyd's syndicates with EU cedents, reinsurersSCCs + TIA for any egress
United KingdomLondonUK GDPR residency for FCA-regulated entitiesLondon Market, Lloyd's, UK personal linesUK IDTA / UK Addendum to SCCs
United StatesVirginia (us-east), Oregon (us-west)US-only tenants for HIPAA-covered A&H, workers' compUS P&C, A&H, workers' comp carriersNo cross-border for PHI without explicit BAA amendment
CanadaMontreal, TorontoPIPEDA + Quebec Law 25 residencyCanadian federally-regulated insurers, Quebec carriersCross-border disclosure notice per Law 25
APACSingapore, Tokyo, SydneyIn-region for MAS, APRA CPS 234, and PDPA-scoped dataRegional carriers, Japan life, ANZ general insuranceLocal law overlays applied per jurisdiction
Vietnam (delivery)Hanoi, Ho Chi Minh City, Da NangDelivery centers — no production personal data residentEngineering, model dev on synthetic / anonymized data onlyAccess via zero-trust jump hosts; no local storage of client PII

Delivery access to production data (when required) is via zero-trust jump hosts, MFA, session recording, and short-lived credentials. Vietnam delivery centers do not store client production personal data at rest.

Controls snapshot

Identity & access

SSO (SAML/OIDC), MFA enforced, role-based access, quarterly access reviews, break-glass logged.

Encryption

AES-256 at rest, TLS 1.2+ in transit, customer-managed keys (BYOK) available on AWS/Azure/GCP.

Secrets & keys

Cloud KMS + HashiCorp Vault; no static secrets in code; rotation on schedule and on personnel change.

Monitoring & logging

Centralized SIEM, 24×7 SOC, model-inference logging suitable for EU AI Act post-market monitoring.

Vulnerability management

SAST/DAST/SCA in CI, quarterly external penetration tests, threat-led testing available for DORA scope.

Incident response

Documented IR runbook, 72-hour GDPR notification path, DORA taxonomy classification, carrier-specific escalation trees.

Model risk (SR 11-7)

Model inventory, development doc, independent validation, ongoing performance monitoring, defined owner per model.

AI governance

AI use-case register, pre-deployment bias & robustness testing, human-in-the-loop by design, model cards on every release.

Business continuity

Multi-region delivery, tested DR runbooks, RTO/RPO agreed per engagement.

Sub-processor register

The sub-processors we may use to deliver a carrier engagement. Carriers receive 30 days' notice of any material change and may object per the DPA. The register below is the default set — engagement-specific sub-processors are agreed in the order form.

Sub-processorPurposeDataLocation
Amazon Web ServicesPrimary cloud infrastructureCarrier tenant data (per residency)EU / UK / US / APAC per engagement
Microsoft AzureAlternative cloud + Azure OpenAICarrier tenant data (per residency)EU / UK / US / APAC per engagement
Google CloudAlternative cloud + Vertex AICarrier tenant data (per residency)EU / UK / US / APAC per engagement
DatabricksData & ML platform (where selected)De-identified / tenant dataDeployed in carrier's chosen cloud region
SnowflakeData warehouse (where selected)De-identified / tenant dataDeployed in carrier's chosen region
FPT.AISovereign LLM & speech (Vietnamese group entity)Prompt / audio per engagementFrankfurt, Singapore, Tokyo, or on-prem
HashiCorp (HCP Vault)Secrets managementEncryption keys, credentialsRegion-pinned per engagement
Okta / Microsoft EntraWorkforce identity (SSO/MFA)FPT staff identity onlyGlobal control plane
DatadogObservability & SIEMApplication logs, metrics (scrubbed)EU or US per engagement
Atlassian (Jira/Confluence)Delivery collaborationTicket metadata (no client PII)EU or US per engagement

Carrier-specific PAS/PSP vendors (Guidewire Cloud, Duck Creek, Stripe, Adyen, etc.) are controller-designated and appear on the engagement register rather than the default list.

Encryption & key management

Cryptographic controls carriers' InfoSec teams tend to ask about first.

At rest

AES-256 for all persistent stores (object storage, block volumes, managed databases, backups). Envelope encryption for tenant-scoped data.

In transit

TLS 1.2+ enforced, TLS 1.3 preferred. mTLS for service-to-service where the carrier requires it. Public endpoints ATS-compliant; HSTS enabled.

Key hierarchy

Root keys in cloud KMS (AWS KMS / Azure Key Vault / GCP KMS, FIPS 140-2 Level 2 HSMs). Data keys per tenant, rotated on schedule.

Customer-managed keys (BYOK)

Supported on AWS, Azure, and GCP for carriers that require external key custody. Carrier controls key lifecycle; revocation renders tenant unreadable.

Rotation

Automatic annual rotation for KMS root keys; per-tenant data keys rotated at least annually and on any personnel change with key access.

Secrets

HashiCorp Vault + cloud secrets manager. Zero static secrets in code or CI. Short-lived credentials for delivery access; break-glass audited.

Tokenization

PAN never stored — tokenized via Stripe/Adyen/carrier PSP. PII tokenization vault available for engagements that require it.

Backups

Encrypted with the same tenant key hierarchy. Region-pinned. Restore drills tested at least quarterly.

Incident response commitments

Timings and escalation paths carriers can put in their DPA and DORA register. Severity is agreed per engagement; the defaults below apply unless the order form specifies tighter.

EventDetection to acknowledgementCarrier notificationRegulator path
Sev-1 security incident (confirmed PII/PHI exposure)≤ 15 min (24×7 SOC)≤ 4 hours from confirmationGDPR: 72h controller notification supported. NYDFS Part 500: 72h. DORA major-incident: initial ≤ 4h, intermediate 72h, final 1 month.
Sev-1 availability incident≤ 15 min≤ 1 hourDORA operational-resilience log entry
Sev-2 (contained, no confirmed data exposure)≤ 30 min≤ 8 hoursLogged in engagement register; escalated on reclassification
Model incident (drift / fairness breach / material error)≤ 24 hours (monitoring alert)≤ 24 hoursEU AI Act post-market monitoring log; NAIC Bulletin material-incident record
Sub-processor incident affecting carrier dataOn notice from sub-processor≤ 24 hours from receiptPassthrough to controller regulatory clock

24×7 SOC operated under FPT Software's ISO 27001 ISMS. Documented IR runbook, tabletop exercises twice yearly, post-incident reviews shared with the carrier within 15 business days.

Audit & testing cadence

The recurring assurance activities carriers most often ask to see evidence of.

SOC 2 Type II

12-month observation window; report refreshed annually. Bridge letter provided between reporting periods.

ISO/IEC 27001 surveillance

Annual surveillance audit; recertification every three years. Statement of Applicability shared with procurement.

External penetration test

Quarterly on platform and web attack surface; annual on engagement-specific deployments; on-demand on material change.

Threat-led penetration test (TLPT)

Available for DORA-scoped carriers; scoped with the carrier's TLPT authority (TIBER-EU aligned where applicable).

Red-team & purple-team

Annual internal red-team; purple-team exercises with carrier SOCs on request.

Vulnerability scanning

Continuous SAST/DAST/SCA in CI; weekly external ASM scans; SLA-driven remediation (critical ≤ 7 days).

Model fairness re-testing

Quarterly per high-risk model; drift-triggered off-cycle. Reports feed the model review board.

Access reviews

Quarterly for privileged access; semi-annual for standard access. Break-glass reviewed monthly.

Business-continuity & DR drills

Annual full-scope; quarterly component-level. RTO/RPO evidence shared per engagement.

Contract & evidence artifacts

What procurement, InfoSec, privacy, and model risk teams typically request during diligence. Everything below is available under NDA; most are supplied in redline-ready form.

Privacy & data protection
  • Data Processing Agreement (controller ↔ processor)
  • EU SCCs (2021) — Modules 2 & 3, with UK Addendum
  • Transfer Impact Assessment template
  • DPIA support pack (templates + sample DPIAs)
  • RoPA entries for engagement scope
  • DSAR / data-subject request runbook
Security & operations
  • SOC 2 Type II report (under NDA)
  • ISO/IEC 27001 certificate + Statement of Applicability
  • Penetration test executive summary (annual)
  • Vulnerability management policy
  • Business continuity & DR plan summary
  • Sub-processor register + change-notice mechanism
Sector-specific
  • HIPAA BAA template + security risk assessment
  • PCI DSS scope diagram (tokenized flows)
  • DORA contractual addendum + register of information
  • NYDFS Part 500 control mapping
  • APRA CPS 234 responses (ANZ carriers)
  • MAS TRM / Outsourcing Notice responses (SG carriers)
AI & model risk
  • Model card (per production model)
  • EU AI Act Annex IV technical file
  • NAIC Model Bulletin control mapping
  • SR 11-7 model documentation + validation memo
  • Fairness / disparate-impact test report
  • Colorado SB21-169 testing plan (life carriers)

Request evidence

Procurement, InfoSec, or model-risk teams can request SOC 2 reports, ISO certificates, DPAs, SCCs, BAA templates, model validation samples, or a DORA / EU AI Act briefing.

Report a vulnerability responsibly at security@fptinsure.com — we acknowledge within one business day and coordinate disclosure.