Secure and compliant claims communication to protect your business

Gain Life's information security program's security policies and procedures are based on ISO 27001 and NIST's Cyber Security Framework (CSF). Our information security policy has been reviewed by third-party auditors to ensure compatibility and conformity with SOC2 Standards. We are committed to comply with the applicable laws and frameworks when handling client data, including but not limited to HIPAA, TCPA, and CAN-SPAM.

Both internal vulnerability scanning and third party penetration tests are conducted on a periodic basis to assess our software and network for vulnerabilities, and findings are resolved within a defined timeline based upon priority.

Gain Life encrypts all traffic in transit with the latest secure cipher algorithms, such as TLS 1.2+. Customer data at rest is encrypted using AES256 with keys stored in an HSM-backed Key Management System, delivered to processes at boot time, and retained in memory only while in use.

Data is categorized and access controlled at the URL and API call level using authentication, authorization, and entitlement mechanisms. A dedicated microservice validates each request against an ACL database. User access objects are created on-the-fly with default lowest-level permissions. 

Gain Life requires that system inputs contain the appropriate characteristics to ensure inputs and their data are properly entered into the system to maintain processing integrity.

Gain Life has implemented the following system input controls to ensure that data inputs are properly configured to result in complete and accurate data:

- Edit checks for system inputs

- Input validations for system inputs

- Logging and monitoring of system inputs

- Access controls that ensure appropriate and authorized personnel are inputting data

Gain Life's AI-powered claims communication platform is designed for enterprise business, utilizing Amazon Web Services Availability Zones to maintain multiple microservice instances across various physical data centers. Even if a data center fails, the remaining instances ensure uninterrupted service. Our auto-healing technology monitors and replaces stale or failed instances automatically. Running microservices in containers allows us to easily scale by launching additional nodes in seconds during peak demand. Our infrastructure as code (IaC) approach enables us to deploy our entire infrastructure in under an hour in any of Amazon's regions. We regularly test to ensure seamless switching between regions with no data loss.

We offer strong password requirements, and where appropriate, multi-factor authentication and single sign on (SSO) capabilities. Firewall rules are established for inbound and outbound traffic to prevent unauthorized traffic from penetrating the network. A strict software development life cycle is in place where code is scanned, tested, and reviewed/approved prior to publishing. Code is scanned to mitigate to OWASP Web Application Security Risks.

Employees handling customers' data are subject to security training annually as well as reviewing and adhering to security data handling policies. Security awareness campaigns are performed when events require notice, and also phishing exercises are used within the organization to test the strength of employee's ability to spot social engineering emails.