SECURITY APPROACH

Small scope.
Visible control.

The first pilot is designed to minimize access, preserve human authority, and keep a tested manual fallback. Security answers should be specific, current, and honest—not hidden behind a badge wall.

01

Minimize

Access only the inbox, policy fields, and users required by the written pilot scope. Public demonstrations use synthetic data.

02

Separate

Keep customer work away from the public demo and from other customer material. Use named accounts and least privilege.

03

Review

Require authorized agency staff to review every consequential output. Missing data and uncertainty become exceptions.

04

Revoke

Track access, define retention, and return or delete customer data and tokens when the engagement ends.

BEFORE CUSTOMER DATA

The access gate

  • Signed agreement and data authorization
  • Named executive sponsor and CSR reviewers
  • Approved systems, purpose, and access level
  • MFA and separate production credentials
  • Actual subprocessor disclosure
  • Retention and deletion decision
  • Incident contact and manual fallback
  • Licensed certificate/forms path confirmed
WHAT STAYS TRUE

Human judgment remains part of the system.

Automated checks are informational. They do not establish that coverage exists, authorize certificate issuance, or replace agency E&O procedures.

Ambiguous requests, missing insureds, apparent limit conflicts, and unavailable data are routed for review. A visible stop is preferable to a confident guess.

Current status

Karpenstein Consulting does not claim SOC 2 certification or a zero-incident guarantee. Production architecture and subprocessors are disclosed for the actual pilot before access is granted. Customer-specific security requirements are recorded in the agreement.

HAVE A SECURITY OR DATA QUESTION?

Ask before granting access.

Email Jamie