Security & Trust

Security & Data Governance

Perilarc is designed with the data handling requirements of commercial P&C carriers and MGAs in mind — including submission PII, proprietary appetite rules, and carrier data isolation.

Data Protection

Security controls built for carrier-grade workloads

Commercial underwriting workflows handle applicant PII, proprietary appetite configurations, and carrier risk data. Perilarc is designed with these requirements from the ground up.

Encryption at Rest

Submission data, appetite configurations, and risk score outputs are encrypted at rest using AES-256. This applies to all stored records including ACORD form content and derived signals.

Encryption in Transit

All data transmitted between Perilarc components and client systems uses TLS 1.3. This includes API connections to Verisk PolicyAnalytics, LexisNexis C.L.U.E. Commercial, ISO PolicyServices, and policy system integrations.

Carrier-Tenant Isolation

Each carrier or MGA deployment operates in a logically isolated environment. Appetite rules, submission queues, risk scores, and audit logs are segregated by tenant. Cross-tenant data access is not permitted by design.

Submission PII Handling

ACORD submissions contain applicant PII including business addresses, officer names, and loss history references. Perilarc processes this data in accordance with our data handling policy and retains it only for the duration necessary to complete the triage and scoring workflow.

Audit Log Completeness

Every appetite configuration change, score computation, and routing decision is logged with timestamp, user, and justification. Logs are immutable and exportable for carrier audit trail requirements.

NY DFS Cybersecurity Awareness

Perilarc is designed with awareness of NY DFS 23 NYCRR 500 cybersecurity requirements applicable to regulated financial entities operating in New York. We document our controls to support carriers' own 23 NYCRR 500 compliance programs.

Regulatory Awareness

Insurance data privacy — GLBA and state insurance regulations

Commercial P&C carriers and MGAs are subject to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule requirements for protecting consumer financial information. State insurance regulators — including those following the NAIC Model Privacy Act framework — impose additional requirements on the handling of non-public personal information collected during the underwriting process.

Perilarc is designed with these requirements in mind. We do not share applicant data with third parties beyond the data vendors explicitly authorized in your configuration (Verisk, LexisNexis, ISO). Our data handling practices are documented and available to carrier compliance teams on request.

We make no claim that use of Perilarc alone satisfies your GLBA Safeguards Rule obligations or state privacy requirements — those determinations rest with your compliance and legal teams. We provide documentation to support your assessment.

Regulatory frameworks we design with in mind

GLBA Safeguards Rule (16 CFR Part 314) Financial institution data protection requirements for consumer NPI
NAIC Model Privacy Act / Insurance Information and Privacy Protection Act State insurance privacy frameworks governing NPI collection and disclosure
NY DFS 23 NYCRR 500 Cybersecurity requirements for NY-regulated financial services companies
State insurance data security laws (NAIC model) Information security programs required for licensed carriers in adopting states

Perilarc is designed with awareness of these frameworks. We are not your compliance counsel. Regulatory determinations for your organization require your own legal and compliance team review.

SOC 2 Program

SOC 2 controls roadmap

Perilarc is built with SOC 2 controls in mind. Our control framework addresses the Security, Availability, and Confidentiality trust service criteria relevant to commercial underwriting data.

Completed
Internal control framework implementation

Access controls, change management procedures, incident response plan, and logging infrastructure aligned to SOC 2 Security criteria. Internal policy documentation complete.

In Progress
Observation period & evidence collection

Accumulating evidence for the SOC 2 observation period. Control effectiveness testing underway across Security and Confidentiality criteria. Audit log reviews, access provisioning records, and vendor risk assessments in scope.

Planned
SOC 2 Type II audit engagement

Formal SOC 2 Type II audit scheduled with an independent CPA firm. The audit will cover the Security, Availability, and Confidentiality trust service criteria applicable to carrier and MGA data. Report expected to be available to qualified prospects under NDA upon completion.

Perilarc is designed with SOC 2 controls in mind. We are not currently SOC 2 Type II certified. Prospective carrier and MGA clients requiring security documentation prior to the report's availability can request our security questionnaire responses and control narratives through the pilot inquiry process.

Request security documentation

Carrier compliance teams and procurement security reviewers can request our security questionnaire responses, control narratives, and data handling documentation through our pilot inquiry form.

Request Security Documentation