Designed for carrier IT security requirements.
Fnolwise processes first-notice-of-loss data including claimant PII, policy details, and in some lines, medical claim information. This page describes how we approach data handling, isolation, and compliance posture for P&C carrier IT security reviews.
How we handle claimant and carrier data
FNOL processing touches claimant PII, policy data from ISO PolicyServices, and in some property and auto lines, accident-scene and medical information. Our architecture is designed to contain that data within the originating carrier tenant.
Carrier-tenant isolation
Each carrier or TPA operates within a logically isolated tenant. Claimant records, triage outputs, and ISO lookup results are scoped to your tenant and are not accessible to other carrier tenants. Tenant boundaries are enforced at the application layer and at the data store layer.
Encryption at rest and in transit
All data is encrypted at rest using AES-256. All data in transit between your CMS (Guidewire ClaimCenter, Duck Creek, Insurity), ISO services, and Fnolwise is encrypted via TLS 1.2 or higher. We do not support unencrypted API connections in any environment, including pilot environments.
PII minimization
Fnolwise processes the claimant fields required for triage — name, contact, incident description, location, and relevant policy identifiers. We do not store Social Security numbers beyond what is required for ISO ClaimSearch lookup, and we do not use claimant data for model training or benchmarking purposes.
Data retention
Triage records are retained for the period specified in your carrier agreement, consistent with your state-of-domicile DOI record retention requirements. Default retention for pilot engagements is 90 days. On request, all data associated with your tenant can be purged following pilot conclusion.
Access controls and SSO
Fnolwise supports SAML 2.0 single sign-on for carrier admin portals. Role-based access controls allow your claims operations team to define which adjuster groups, supervisors, and IT administrators can access which triage output views. MFA is required for all admin-level access.
Penetration testing
We conduct annual third-party penetration tests against the Fnolwise platform, including API endpoints used by CMS integrations and ISO service connections. Findings and remediation timelines from the most recent test are available to prospective carrier IT security teams under NDA.
Regulatory and compliance framework
Fnolwise is designed with controls relevant to the regulatory context P&C carriers operate in. We describe our posture precisely — we do not characterize our design as certification where formal attestation has not been completed.
Designed for SOC 2 Type II controls
Fnolwise is designed with the AICPA Trust Services Criteria in mind — security, availability, and confidentiality. We are on a SOC 2 Type II audit roadmap with a target attestation date in 2026. Current controls documentation is available to carrier IT security teams on request. We do not currently hold a completed SOC 2 Type II report.
Designed with HIPAA-relevant controls for medical claim data
Some commercial auto and general liability claims processed through Fnolwise may involve protected health information (PHI) — particularly injury descriptions, medical bill summaries, or treatment information. Fnolwise is designed with HIPAA Security Rule controls for the technical safeguards relevant to PHI handling: access control, audit logging, transmission security, and integrity controls. We sign Business Associate Agreements (BAAs) with carriers who process PHI through our platform.
Regulatory context: DOI reasonable promptness requirements
Connecticut DOI Regulation 38a-816 establishes claim handling promptness standards for carriers domiciled or licensed in Connecticut. Fnolwise is designed to support carriers in meeting these standards by delivering triage decisions and coverage verification at intake rather than hours later. We do not represent this as a compliance guarantee — carrier obligations under 38a-816 rest with the carrier, and triage automation is one operational tool supporting timely handling. Similar standards in other states (Florida, Texas, Ohio, California) are also considered in our routing rule framework.
ISO ClaimSearch and PolicyServices data use
Access to ISO ClaimSearch and ISO PolicyServices is subject to Verisk Analytics subscriber agreements. Fnolwise operates as a technology platform that facilitates your existing ISO subscriber access — we do not independently subscribe to ISO services on behalf of carriers. Your ISO subscriber credentials and data use obligations under your Verisk agreement govern the ISO lookups performed during triage. We do not retain ISO ClaimSearch results beyond the triage session or share them across carrier tenants.
Vendor security assessment support
We complete carrier vendor risk assessment questionnaires (SIG, CAIQ, or carrier-proprietary formats) as part of the procurement process. We provide architecture diagrams, data flow documentation, and subprocessor lists to carrier IT security and procurement teams. For pilot engagements, we conduct a technical onboarding call with your IT security team before any data exchange begins.