Security

Effective Date: 11th February 2026

Last Modified: 11th February 2026

1. Our Commitment to Security

Longbow Insurance Technology processes sensitive insurance documents on behalf of customers. We take the security of this data seriously and implement appropriate technical and organisational measures to protect personal data and commercially sensitive information against unauthorised access, alteration, disclosure, or destruction. This Security Policy provides an overview of the measures we employ. It should be read alongside our Privacy Policy and Data Processing Agreement.‍

2.Infrastructure Security

Cloud Hosting: The Longbow platform is hosted on reputable, enterprise-grade cloud infrastructure providers that maintain industry-recognised certifications including ISO 27001, SOC 2 Type II, and compliance with the UK Government's Cyber Essentials requirements.

Network Security
•  All external traffic is encrypted in transit using TLS 1.2 or higher
•  Network segmentation isolates production environments from development and testing
•  Web application firewalls (WAFs) protect against common attack vectors
•  DDoS mitigation services are in place to maintain platform availability

Data Encryption
•  Data at rest is encrypted using AES-256 or equivalent standards
•  Data in transit is encrypted using TLS 1.2 or higher
•  Encryption keys are managed using the key management services provided by our cloud infrastructure provider, with access restricted to authorised personnel‍

3. Application Security

Authentication and Access
•  User authentication is secured with hashed and salted passwords
•  Role-based access control (RBAC) ensures users can only access data and features relevant to their role
•  The principle of least privilege is applied across all internal systems
•  Session management includes automatic timeout and secure token handling

Secure Development
•  Code is subject to peer review before deployment to production
•  Dependency scanning identifies known vulnerabilities in third-party libraries
•  Secrets management ensures credentials, API keys, and tokens are never hardcoded or stored in source code

4. AI Processing Security

Given that Longbow's core functionality involves AI processing of insurance documents, we apply specific controls to the AI pipeline.

•  Documents are processed through secure, isolated pipeline stages (OCR, parsing, LLM extraction)
•  Insurance document data sent to third-party AI subprocessors is transmitted over encrypted channels and subject to the data processing terms set out in our subprocessor agreements
•  We do not use customer insurance document data to train general-purpose AI models
•  AI subprocessors are selected based on their security posture, data handling practices, and compliance with applicable data protection law
•  Processed data is stored in the customer's isolated environment and is not shared across customer accounts‍

5. Operational Security

Access Management
•  Internal access to production systems and customer data is restricted to authorised personnel on a need-to-know basis
•  Administrative access requires multi-factor authentication
•  Access rights are reviewed regularly and revoked promptly when no longer required

Monitoring and Logging
•  Audit logs capture platform access, data processing events, and administrative actions
•  Logs are stored securely and retained for a minimum of 12 months
•  Automated alerting is configured for suspicious activity and anomalous access patterns

Vulnerability Management
•  Regular vulnerability scans are conducted across infrastructure and application layers
•  Critical and high-severity vulnerabilities are prioritised for remediation
•  Third-party dependencies are monitored for known security issues

6. Contact

For security-related enquiries or to report a security concern: info@longbowtech.co.uk