Security & Compliance
Isomer's security posture — SOC 2 Type II, single-tenant architecture, zero-credential design, and compliance alignment.
Isomer is built for insurance claims operations, where data is sensitive, regulatory exposure is real, and vendor security posture is a production blocker. This page covers Isomer's security architecture, certifications, and compliance alignment.
Full details are at isomer.ai/trust.
Certifications
SOC 2 Type II. Continuously monitored via Vanta. Audited controls across security, availability, and confidentiality. Available to prospects and customers under NDA.
Architecture
Single-tenant
Every customer runs on a dedicated processing pipeline. No data is commingled across tenants. Your claim graph, ingested documents, and signal history are isolated to your environment.
Zero-credential
Isomer connects to inboxes using OAuth 2.0 (Microsoft 365, Google Workspace). Isomer does not store customer passwords or persistent service-account credentials.
Access tokens are:
- Scoped to the minimum permissions required for inbox access
- Time-limited
- Revocable at any time from your identity provider
This eliminates the most common SaaS breach vector: leaked or stolen vendor-stored credentials. If you revoke access, Isomer's connection terminates immediately — no stored credentials remain.
Optional IP allowlisting is available for customers that want to restrict Isomer's access to known network ranges.
Encryption
- In transit — TLS 1.2 or higher on all connections.
- At rest — AES-256 encryption on all stored data.
AI and data handling
No training on customer data. Isomer holds Business Associate Agreements (BAAs) with every foundation model provider used in the platform. Each BAA includes contractual no-training terms and zero-day data retention — your claims data is not used to train external models.
Structured logic gates AI output. AI proposes; deterministic rules and human review authorize. No AI output causes a state change without passing through structured logic gates first. This eliminates hallucination-dependent decisions.
Fail-safe by design. Low-confidence detector firings route to human review rather than auto-executing. Uncertainty escalates; it does not silently pass through.
Full audit trail. Every AI call, signal evaluation, and action is logged with source evidence. The log is immutable and exportable.
PHI and BAA coverage
Isomer is BAA-ready for workflows that touch protected health information — Workers' Compensation, supplemental health, and any line of business where claims communications carry PHI. Contact your Isomer representative to execute a BAA.
Compliance alignment
| Framework | Status |
|---|---|
| NAIC Model Bulletin on AI Systems | Aligned |
| NIST AI RMF | Aligned |
| SOC 2 Type II | Certified |
| HIPAA / BAA | BAA-ready |
Governance model
Isomer's security approach operationalizes five production blockers that insurance buyers consistently raise:
| Concern | How Isomer addresses it |
|---|---|
| Control | Single-tenant architecture; OAuth with customer-revocable tokens |
| Visibility | Full audit trail on every action; Vanta-monitored controls |
| Auditability | Immutable logs with source evidence; exportable |
| Security | SOC 2 Type II; AES-256 at rest; TLS 1.2+ in transit |
| Testability | Structured logic gates; fail-safe routing; no silent AI execution |