Security & Trust

You are trusting PricePress with sensitive claim data — policyholder names, addresses, photographs, and the prices that go onto carrier-bound PDFs. We take that responsibility seriously.

Last Updated: April 30, 2026

How we protect your data

Encryption everywhere

All data is encrypted at rest using AES-256. All connections use TLS 1.2+ (TLS 1.3 by default). Authentication tokens, API keys, and webhook signing secrets are managed by our infrastructure providers using industry-standard key management. We never store full payment card data.

Tenant isolation by default

Every customer firm is logically isolated using Postgres Row Level Security. Each query is scoped to the authenticated user’s company. Photographic evidence is stored in a private bucket, accessible only via short-lived signed URLs (30-minute expiry). Cross-firm access is impossible by design.

Strong authentication

Password rules enforce minimum length, mixed case, numbers, and special characters. Email verification required before activation. Disposable email addresses blocked. Multi-Factor Authentication (TOTP) is on the roadmap for all users.

Audit trail on every change

Material changes to claim line items are logged with timestamp, actor, and before/after values. Role changes, team invites, password resets, and other administrative actions are recorded. Audit logs are retained for 24 months.

Defence in depth

Rate limiting on auth and sensitive endpoints. Webhook signature verification with replay protection. AI inputs sanitised against prompt injection. Content Security Policy and same-origin defaults block cross-site attacks. All file uploads validated by type, size, and content.

What we don't do

We do not sell your data. Ever. To anyone.
We do not use your data for advertising, profiling, or targeting.
We do not use your data to train AI models. Where we use external AI services, we have explicitly opted out of training-data contribution.
We do not transmit personal data to retail pricing providers — only anonymised product descriptions and (for grocery items) ZIP codes.
We do not retain backup copies indefinitely. Backups age out per our infrastructure providers’ retention policies.

Compliance frameworks

PricePress aligns with:

Data Protection (Jersey) Law 2018 — our primary regulatory framework
NAIC Insurance Data Security Model Law — applicable to our customers and reflected in our security program
California Consumer Privacy Act (CCPA / CPRA) — for California residents’ rights
Colorado Privacy Act — for Colorado residents’ rights
General Data Protection Regulation (GDPR) — equivalent rights via DPJL alignment

Exercise data subject rights — access, correction, deletion, portability, restriction, objection — by contacting support@thepricepress.com. We respond within 30 days for DPJL/GDPR requests and 45 days for CCPA/CPA requests.

Breach notification — what we commit to

If a security incident affects your data:

Notify the Jersey Office of the Information Commissioner (JOIC) within 72 hours of becoming aware, where required.
Notify your firm’s Admin contact within 72 hours of confirmation.
Provide the information you need to satisfy your own NAIC and state-level notification obligations.
Follow up with a written post-incident report within 14 days.

Our full Incident Response Plan is documented internally and reviewed annually.

Sub-processors

PricePress works with a small set of trusted infrastructure providers, each bound by a Data Processing Agreement.

The complete and up-to-date list is at /subprocessors.

Reporting a security issue

We welcome reports from security researchers and members of the public who identify potential vulnerabilities.

Email: security@thepricepress.com
Acknowledgement window: within 5 business days
Safe harbour: good-faith research that complies with our Vulnerability Disclosure Policy is welcome and will not result in legal action
Recognition: Hall of Fame credit (with your permission); no paid bug bounty currently offered

Our full Vulnerability Disclosure Policy is at /security/disclosure.

What we are not (yet)

To set expectations honestly:

We are not currently SOC 2 Type II certified. We follow SOC 2 principles internally and use SOC 2-certified sub-processors, but we have not undergone the audit.
We are not currently ISO 27001 certified. Same reasoning.
We do not currently offer a paid bug bounty program. We acknowledge and credit researchers via our Hall of Fame.
We do not offer a customer-facing audit right beyond what is documented in our Data Processing Addendum.

If your firm requires SOC 2 / ISO 27001 attestation, please get in touch — we want to understand the demand and build accordingly.