Security & Compliance

Security and privacy are foundational to brokerage digitization. Insuraim employs multi-layer protection, access control, standardized data processes, and compliance frameworks to help teams operate in a controlled and safe environment.

Clear Roles & Boundaries

Insuraim is your technology and data infrastructure partner, not a competitor in business channels.

Business Model

Revenue comes mainly from SaaS subscriptions and implementation services. Pricing is transparent and corresponds to platform usage; we do not share in premiums or commissions.

Data & Business Boundaries

The platform processes client data only to fulfill contracted services, ensure security, and meet compliance requirements. We do not conduct independent retail business or third-party marketing based on platform data, nor do we trade client data.

Our Role Positioning

As an independent infrastructure provider, we focus on providing platforms and tools for brokerage firms and professional advisory teams, without participating in business matching or channel competition between institutions and end clients.

Data Governance & Legal Framework

Insuraim's design and operations are based on Hong Kong's Personal Data (Privacy) Ordinance (PDPO) and its six Data Protection Principles (DPPs), covering collection, accuracy, retention, use, security, and access rights.

For cloud service scenarios, we refer to the PCPD's latest 'Guidance on Cloud Computing.' We assist institutions in fulfilling their responsibilities as 'Data Users' through contractual, technical, and organizational measures, such as defining data use, storage location, deletion arrangements, and logging.

Clearly distinguish roles: Data User (Brokerage/IFA) vs. Data Processor (Insuraim)
Specify data use, retention, deletion, and return mechanisms in contracts and DPAs
Assist institutions in fulfilling obligations under DPP1–DPP6 (Access, Correction, Notification, etc.)

Platform Security Controls

We refer to the PCPD's 'Guidance on Data Security Measures' and common cybersecurity practices in the HK insurance industry to build a multi-layered cloud security architecture.

Encryption & Transport

Full HTTPS/TLS 1.2+ transmission encryption; AES-256 encryption for sensitive data (PII) at rest.

Multi-Tenant Isolation

Strict logical isolation architecture ensuring no tenant can access another's data.

Granular Access Control

RBAC-based permission model supporting field-level visibility control and least privilege principle.

Audit Logs

Full-link tracking of key operations (query, export, modify) supporting traceability and auditing.

Disaster Recovery

Real-time off-site data backup, designed for short RPO/RTO, optimized through continuous drills.

Network Protection

Equipped with WAF (Web Application Firewall) and DDoS protection to repel malicious attacks.

Operations & Third-Party Management

In a cloud architecture, data protection is a 'Shared Responsibility.' We adopt the following practices:

No Default Access

Daily operations do not require employees to view specific business data.

Controlled Access

If troubleshooting is needed, temporary access is enabled only with client authorization and full logging.

Vendor Due Diligence

Due diligence on cloud and security vendors, enforcing security and deletion obligations via contracts.

Regular Review

Regular review of service providers' compliance status and security reports.

Alignment with Regulations

We closely monitor and follow relevant regulatory guidelines.

Personal Data (Privacy) Ordinance - Six Data Protection Principles (DPP)
PCPD Guidelines on the use of Cloud Computing
Insurance Authority (IA) Guideline on Cybersecurity (GL20) requirements

Need detailed compliance materials?

If you are an RO, Compliance Officer, IT, or Risk Manager, we can provide the 'Insuraim Security & Compliance Whitepaper' and a comparison mapping against PDPO, PCPD Cloud Guidelines, and IA GL20 to assist in your internal reporting.