Skip to content
QuotelyQuotely

Compliance

Security and trust, documented.

Quotely handles policies, client PII, and carrier credentials for independent agencies across 50 states + DC. Here's how we protect that data and where responsibilities sit.

SOC 2 posture

SOC 2 controls implemented; audit-ready per TSC CC6, CC7, CC8, and P1–P8. Formal certification not yet completed. Controls are mapped and evidenced internally and are available to prospective customers under NDA.

Data handling

  • Encryption in transit: TLS 1.2+ on every Quotely request, managed by Convex Cloud infrastructure.
  • Encryption at rest: Sensitive fields — including raw QUAD interaction traces and carrier credentials — are encrypted with AES-256-GCM before database write. Encryption keys are stored in Convex environment variables, never in the database, never in code, and never logged.
  • Authentication: Clerk-managed sessions; every Convex mutation is gated by ctx.auth.getUserIdentity().
  • PII redaction: QUAD interaction traces pass through a redactor that removes Social Security Numbers, email addresses, phone numbers, dates of birth, street addresses, VINs, and policy numbers before analytical storage.
  • Data residency: US-region managed database.

IVANS data handling

Quotely uses IVANS only for automated carrier policy downloads and monthly commission reconciliation. IVANS credentials are stored encrypted in the Quotely credential vault (AES-256-GCM) and are decrypted in-memory only during the scheduled sync. No IVANS credentials are stored in plaintext at rest or in logs. Policy data received from IVANS is written to your agency's scoped tables and is never cross-agency visible.

Carrier credential storage

Credentials for every carrier integration — TurboRater, IVANS, AMS, CRM, and individual carrier portals — are stored in the Quotely credential vault. Encryption is AES-256-GCM with a 96-bit IV and 128-bit auth tag. Keys are held in Convex environment variables and are never checked into source control. Credentials are decrypted only at the moment of an outbound API call to the associated carrier and are never returned to client code. There is no plaintext-credentials code path anywhere in the system.

Role-based access control (RBAC)

Quotely uses a 5-tier RBAC hierarchy enforced at every Convex query and mutation boundary:

  • Owner — agency principal. Full access plus billing and user administration.
  • Manager — operations lead. All agency data, no billing changes.
  • Producer — licensed producer. Own book of business plus assigned prospects.
  • CSR — customer service representative. Read/write on assigned customers; no pricing overrides.
  • Staff — support staff. Read-only by default; scoped write access per workflow.

Sensitive operations such as raw trace decryption and audit-log access are restricted to Owner and Manager roles and are immutably logged. Role changes are recorded with actor, target, before/after values, and timestamps.

State compliance & privacy

Quotely operates across all 50 US states plus the District of Columbia. Each agency retains ownership of its client privacy relationship — Quotely operates as the data processor on behalf of the agency, which is the data controller. Agency-level data isolation prevents cross-agency visibility by design: each query is scoped to the authenticated agency's tenant, and there is no administrative path that surfaces one agency's client data to another.

State-specific privacy disclosures (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and subsequent state statutes) are satisfied through the agency's own privacy notice. Quotely supports the agency's compliance by providing data-subject request tooling, access logs, and deletion mechanisms on request.

Errors & omissions (E&O)

Quotely is an agency operations platform. Policy accuracy, carrier appointment compliance, state licensing, disclosure requirements, and all producer-side errors & omissions responsibilities remain the sole responsibility of the licensed agent and agency. Quotely does not underwrite, bind, or otherwise act as an insurance provider.

Contact

Compliance, security, and legal questions: legal@quotely.info. We respond to verified prospect inquiries under NDA for detailed control documentation.

Need documentation for an enterprise procurement review?

Request under NDA