agencyEZ Security & Compliance

Our platform is a highly-secured, private-cloud environment in Amazon Web Services (AWS) with 24-hour, 7-day-a-week access for employees, employers, agencies, and carriers.

AEZ Platform Security

How we keep our platform and customers secure.

Logo - SOC2 Certification

SOC 2 and HIPAA Compliant

uOur SOC and HIPPA-compliant application uses a comprehensive proprietary framework that weaves into the underlying Server Security Infrastructure.

We use a compliance monitoring third-party software (Vanta) for a continued adherence with SOC 2 compliance.


Restricted Server Access

Key application infrastructure servers are hosted in a VPC environment with no public visibility. Access requires a private key file. Servers are further protected by a Web Application Firewall following OWASP guidelines to prevent security threats.


Information Services via Secure API

Our security architecture uses a stateless model that provides information services using a secured API. These services help understand a user’s identity to guarantee that only information specific to that user is shown.


Multi-Factor Administrative Accounts

Our administrative AWS accounts are subject to multi-factor authentication upon every login via Google Authenticator. Our development and production sites are maintained independently.

Security and Compliance for agencyEZ

More about our platform’s security.


Site Registration

Site Registration allows users to set their authentication credentials. Admin users can register via an authorized link in an email to be initiated by another administrator.

Employee users can also register via an authorization link emailed by the employer or agency admin. Or alternatively, users can self-identify directly on an employer-specific registration page.

When permitted, employees can use third-party social authentication sites to log in to


Site Access Recovery

Site Access Recovery allows users to reset their site login or password through an authorization code sent to their mobile phone or email. Authorization codes expire based on time limits.

A user account will be locked out after a finite number of unsuccessful log-in attempts.

All site access is logged and a history of user access is available in a report format.


Site Authentication

Site Authentication is available to all users through a central login page at Users can opt for Multi-Factor Authentication (MFA) in which case they are required to secondarily authenticate every 30 days or whenever they change their device or the browser. An employer can force all admin users or all employee users to use MFA.

Generally, we enable MFA for all admin users of carriers, agencies, and employers.

agencyEZ uses the encrypted JWT (JWE) token method after the initial authentication with every resource access call to the server being authenticated. The JWE token expires every 20 minutes and the agencyEZ web app automatically obtains an updated token.

The system will log a user out due to inactivity. The idle period prior to logging out can be extended up to 10 minutes.


Password Maintainence

Our Password Maintenance protocol stores the user passwords using the highest encryption standards with the encrypted passwords being non-reversible.

User-defined passwords must adhere to our password policy.

In addition, an admin user can attach a password to protect downloadable Excel reports.