Security and data handling

Vendor security review

A plain-English summary for insurance broker teams reviewing how Advanced Underwriters handles client documents, access, retention, and standard source review.

Review summary

What a broker should know before uploading files

Use approved client documents

Only upload information your organization and client allow you to use for this work.

Remove information you do not need

Remove unnecessary Social Security numbers, dates of birth, license numbers, bank details, medical information, and similar personal data.

Confirm every batch

The app requires two confirmations before any selected file leaves the browser: authorization to use the files and removal of unnecessary personal information.

Employer approval still matters

These controls support safer use, but brokers still need their employer's approval and must follow applicable client, carrier, and company policies.

Current controls

How the service protects broker work

Data in transit

TLS encrypts data while it moves between a broker's browser and the service.

Stored data

Convex manages AES-256 encryption at rest for application data and stored broker files.

File access

Time-limited signed file links are created only when an authorized user needs to open a source file.

Workspace access

Organization membership and role checks protect client records and sensitive actions.

Upload integrity

Upload URLs are bound to the active organization, project, user, and upload session, then validated by the server.

Retention

Sensitive source files and related review data follow a 30-day retention and cleanup schedule.

Standard source review

Raw documents stay out of external AI review.

During standard source review, raw source documents are not sent to an external AI provider.

The service parses supported PDFs and spreadsheets, links reviewed values to the document, page, or worksheet, and keeps broker approval visible.

Service providers

Where each provider fits

Cloudflare

Serves the statically exported public site and security headers.

Convex

Provides authentication, server functions, application data, and protected file storage.

Resend

Delivers application email. Source documents are not sent through Resend.

Stripe

Handles billing. Source documents are not sent to Stripe.

GitHub

Hosts source code and CI workflows. Client source documents are not stored in the code repository.

Removal and retention

Removal ends access first, then cleanup completes.

Access to a removed source file ends immediately, and its source evidence becomes unavailable in the analysis.

Physical deletion from storage is queued. Non-sensitive audit records may remain so the service can retain an accountable record of the action without retaining the source-file contents.

Other sensitive source and review data follows the stated 30-day retention schedule.

Current limitations

What this page does not claim

Advanced Underwriters does not currently claim a third-party security certification, regulated health-data compliance, browser-to-recipient encryption, or an on-premise deployment option.

The service does not currently provide end-user MFA or SSO. Teams that require those controls should contact us before approving use.

Need a vendor review?

Send us your security questions.

[email protected]