Date last updated 2020-10-10
Kiwi Insurance Services, Inc. d/b/a Pilotbird (“Pilotbird”)
Security is one of the biggest considerations in everything we do. Pilotbird is governed by its internal Physical and Information Security Policies, a set of policies and procedures designed to keep Pilotbird data and customer data safe and restricts use of this data to their authorized use. Pilotbird performs its own internal audits at regular intervals to ensure ongoing compliance. This disclosure is intended to provide further transparency about how we secure data and processes. If you have an interest in discussing the details, we can be reached at [email protected] to make arrangements.
We keep our data union safe by using high-grade encryption and the latest generation anti-malware software. Only authorized software engineers have access to information necessary to perform their job duties and when access is no longer needed, we make sure to remove it.
3. Security Program
We regularly audit every layer of security. We maintain security procedures designed to ensure information we own, license and process is not accessed by any unauthorized person or business. We use a variety of multi-level security systems to control access to our services and information products.
4. Network Security
We’ve partnered with Google Cloud Services to provide a secure and reliable cloud environment for our software. We use a combination of load balancers, firewalls, and VPNs to ensure that network access is restricted on an as-needed basis. We limit access to our production infrastructure and strongly authenticate that access.
All network communication in Pilotbird occurs over secure SSL/TLS. Our internal infrastructure rejects all packets sent on ports other than port 443 and redirects all unsecured port 80 requests over to port 443. We regularly audit the details of our implementation and the certificates that we serve.
In addition to SSL connections, automated data communication goes through additional encryption layers for enhanced security during transit and at rest for sensitive data.
5. Account Security
Pilotbird never stores your password in plaintext. All user passwords are stored using BCrypt2 with multiple rounds of hashing and a unique salt for each credential.
6. Data Storage
All user data is encrypted at rest with AES256-CBC. Decryption keys are stored on separate machines. None of Pilotbird internal servers and daemons are able to obtain plaintext data. Pilotbird’s infrastructure for storing, decrypting, and transmitting user sensitive data doesn’t share any credentials with Pilotbird’s primary services (API, website, etc.).
Our database backups and file storage encrypt everything at rest. Each customer is scoped to view only their data and no one else’s. Our database supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of database’s network traffic. TLS/SSL ensures that database network traffic is only readable by the intended client.
We backup all customer content at least once daily. We do not utilize portable or removable media for backups. All backups are encrypted with AES-256.
Encryption at rest, when used in conjunction with transport encryption and our security policies that protect relevant accounts, passwords, and encryption keys, ensures compliance with security and privacy standards, including PII, HIPAA, PCI-DSS, and FERPA.
All Pilotbird owned servers have quarterly security updates, and intrusion detection systems monitor for all possible security incidents.
9. Operations Management
All code changes and application updates to our data systems are reviewed for security issues before use. Pilotbird separates development, testing, storing, and production environments in different engineering segments.