Security, Availability, Confidentiality
liveDelivered under FPT Software attestation
What: Independent audit of security, availability, and confidentiality controls over a 12-month observation window.
How we apply it: Client engagements inherit FPT Software's SOC 2 Type II control environment for delivery centers, identity, endpoint, change management, and vendor management. Engagement-specific controls (tenant isolation, data handling, key custody) are documented per program.
Evidence: Report available under NDA via the strategy team.
Information Security Management
liveCertified — FPT Software
What: Certified information security management system covering policy, risk, asset, access, cryptography, operations, supplier and incident domains.
How we apply it: Delivery organization operates under the certified ISMS. Insurance engagements layer sector-specific controls: PII/PHI classification, claim-file handling, and reinsurance data-room segregation.
Evidence: Certificate + statement of applicability shared with procurement.
Privacy Information Management
alignedAligned
What: Privacy extension to 27001 covering controller and processor obligations for personal data.
How we apply it: Engagement DPIAs, RoPA entries, and processor obligations are modeled on 27701. Applied to policyholder, claimant and broker-portal data flows.
Evidence: DPIA templates and processor addenda provided at contracting.
US health data (accident & health, workers' comp, disability)
liveBAA-ready
What: US Health Insurance Portability and Accountability Act — administrative, physical and technical safeguards for PHI.
How we apply it: Business Associate Agreements executed for A&H, workers' comp, and disability carriers. PHI is segregated in dedicated tenants with encryption at rest (AES-256) and in transit (TLS 1.2+), least-privilege IAM, and audit logging retained per BAA terms.
Evidence: Sample BAA, HIPAA security risk assessment, and control matrix on request.
Live processor obligations
What: General Data Protection Regulation — lawful basis, data subject rights, cross-border transfers, breach notification.
How we apply it: EU personal data stays in EU regions by default. Standard Contractual Clauses (2021) + transfer impact assessments where cross-border processing is required. DSAR workflow, 72-hour breach notification runbook, and appointed EU representative through FPT Europe.
Evidence: DPA, SCCs, subprocessor list, and TIA available.
High-risk AI systems in insurance
inflightAlignment program — enforcement phasing through 2026-2027
What: EU regulation classifying insurance pricing, underwriting for life & health, and fraud/claims-decisioning AI as high-risk with obligations on data governance, transparency, human oversight, robustness and post-market monitoring.
How we apply it: Every high-risk AI Factory build ships with: a model card, data-governance record, human-in-the-loop design, logging suitable for post-market monitoring, conformity-assessment-ready technical documentation (Annex IV), and a fundamental-rights impact assessment where required.
Evidence: Model card + Annex IV technical file template provided per use case.
US state insurance regulators
liveAligned
What: NAIC Model Bulletin on the Use of AI Systems by Insurers — governance, risk management, third-party AI oversight, testing for bias, and documentation adopted (with variations) across US states.
How we apply it: AI governance framework mirrors the bulletin: board-visible AIS policy, inventory, pre-deployment testing (including disparate impact), ongoing monitoring, complaint handling, and third-party AI vendor due diligence — delivered as artifacts the carrier can put in front of a market conduct exam.
Evidence: Governance framework and testing report templates on request.
Aligned
What: Federal Reserve / OCC supervisory guidance on Model Risk Management — development, implementation, use, validation, and governance of models.
How we apply it: Every deployed model gets a development document, independent validation (effective challenge), ongoing performance monitoring, an inventory entry, and defined ownership. Applied to pricing, reserving, catastrophe, and AI-driven underwriting/claims models.
Evidence: Model documentation and validation report samples provided under NDA.
Cardholder data (premium payment flows)
alignedAligned via tokenized processors
What: Payment Card Industry Data Security Standard for storing, processing, or transmitting cardholder data.
How we apply it: We do not store PAN. Premium collection uses tokenized processors (Stripe / Adyen / carrier PSP of record); scope reduction is documented per deployment.
Evidence: Scope diagram and SAQ approach provided per engagement.
EU financial entities (reinsurance & (re)insurer ICT)
inflightAlignment program
What: Digital Operational Resilience Act — ICT risk management, incident reporting, resilience testing, and third-party ICT provider oversight for EU financial entities.
How we apply it: Register of information for ICT services, contractual clauses per the DORA-mandated template, threat-led penetration testing support, and incident classification aligned to the DORA taxonomy.
Evidence: DORA contractual addendum and register-of-information template available.