ThreadWise handles some of the most sensitive data a brokerage holds — named insureds, loss runs, premium, carrier relationships. We operate it the way a regulated brokerage would: dedicated environments, full audit trail, human approval on every client-facing output, and a strict commitment that your data is never used to train models.
Everything else in our security posture follows from these three. They were chosen because they are the things brokerage CIOs, principals, and risk committees ask about first — and because anything less would be unworkable for the data we handle.
Every customer gets a dedicated environment — not a shared tenant with logical partitions. Your data, your prompts, your workflows, your audit trail. Nothing co-mingled with anyone else's book of business.
Your submissions, policy documents, emails, carrier correspondence, and outputs are never used to train, fine-tune, or improve any model — ours or a provider's. This is contractual, not just a setting.
Every field extracted, every edit made, every approval given, every document sent — captured with the source, the actor, and a timestamp. Built for E&O defense and regulator inquiries, not just for us.
Industry-standard practices, applied rigorously. We won't surprise you with anything unusual here — and that's the point.
Each customer runs in an isolated environment with its own storage, compute, and access controls. No shared database, no shared vector store, no cross-tenant queries possible by design.
TLS 1.2+ for all traffic. AES-256 for data at rest. Keys managed through a dedicated KMS with regular rotation. Document uploads are encrypted before they land in storage.
SAML and OIDC single sign-on with your existing identity provider. SCIM provisioning for joiners, movers, leavers. Role-based permissions scoped to producer, principal, reviewer, and admin.
Your data is never used to train any model. It is never shared across customers. It never leaves your environment except through actions your team explicitly approves — like sending a proposal to a client or pushing data to your AMS.
Every extraction, every edit, every approval, every document sent. With source attribution, actor identity, and timestamps. Exportable for E&O defense, internal audit, and regulator requests.
Continuous monitoring for anomalous access and behavior. A documented incident response plan with defined customer notification timelines. Runbooks tested regularly, not just written.
The first question your E&O carrier will ask after an incident is "what did the AI do, and who approved it." ThreadWise answers both, for every action, for every workflow, for the life of the record.
Source document and page number for every extracted field. The model's initial output and every subsequent human edit. Who reviewed, who approved, who sent — and when. Carrier responses, client replies, and internal notes, all linked to the underlying submission.
Full audit export in structured formats. Search by producer, client, carrier, workflow, or date. Hand the record to your E&O carrier, your compliance team, or a regulator without reconstructing it from email threads and spreadsheets.
These aren't settings you have to enable or toggles buried in an admin panel. They are how ThreadWise is built.
Not our models. Not our providers' models. Not for product improvement, not for benchmarking, not for anything. This is written into every customer agreement and enforced at the infrastructure layer.
Your appetite library, your SOPs, your carrier history, your client list — none of it informs another customer's ThreadWise experience. Dedicated environments mean dedicated everything.
No auto-sent emails to clients or carriers. No auto-bound policies. No auto-filed claims. Every client-facing output waits for a human to review, edit, and approve before it leaves the platform.
Retention policies match your requirements and regulatory obligations, not ours. On contract termination, customer data is deleted on a documented schedule with a certificate of destruction on request.
Reports and evidence available under NDA to customers and prospects in active evaluation.
We've answered a lot of vendor security questionnaires. Come with your toughest questions — our security team joins the demo, and you'll leave with the SOC 2 report, subprocessor list, and DPIA template in hand.
Answers about how ThreadWise protects brokerage data, handles model training restrictions, and supports audit-ready operations.