agencyEZ Security & Compliance
Our platform is a highly-secured, private-cloud environment in Amazon Web Services (AWS) with 24-hour, 7-day-a-week access for employees, employers, agencies, and carriers.
How we keep our platform and customers secure.
SOC 2 and HIPAA Compliant
Our SOC and HIPPA-compliant application uses a comprehensive proprietary framework that weaves into the underlying Server Security Infrastructure.
Restricted Server Access
Key application infrastructure servers are hosted in a VPC environment with no public visibility. Access requires a private key file. Servers are further protected by a Web Application Firewall following OWASP guidelines to prevent security threats.
Information Services via Secure API
Our security architecture uses a stateless model that provides information services using a secured API. These services help understand a user’s identity to guarantee that only information specific to that user is shown.
Multi-Factor Administrative Accounts
Our administrative AWS accounts are subject to multi-factor authentication upon every login via Google Authenticator. Our development and production sites are maintained independently.
More about our platform’s security.
Site Registration allows users to set their authentication credentials. Admin users can register via an authorized link in an email to be initiated by another administrator.
Employee users can also register via an authorization link emailed by the employer or agency admin. Or alternatively, users can self-identify directly on an employer-specific registration page.
When permitted, employees can use third-party social authentication sites to log in to aezbenefits.com.
Site Access Recovery
Site Access Recovery allows users to reset their site login or password through an authorization code sent to their mobile phone or email. Authorization codes expire based on time limits.
A user account will be locked out after a finite number of unsuccessful log-in attempts.
All site access is logged and a history of user access is available in a report format.
Site Authentication is available to all users through a central login page at aezbenefits.com. Users can opt for Multi-Factor Authentication (MFA) in which case they are required to secondarily authenticate every 30 days or whenever they change their device or the browser. An employer can force all admin users or all employee users to use MFA.
Generally, we enable MFA for all admin users of carriers, agencies, and employers.
agencyEZ uses the encrypted JWT (JWE) token method after the initial authentication with every resource access call to the server being authenticated. The JWE token expires every 20 minutes and the agencyEZ web app automatically obtains an updated token.
The system will log a user out due to inactivity. The idle period prior to logging out can be extended up to 10 minutes.