Trust Center
Security and trust at Senior Simple
How we protect the agencies, agents, and Medicare beneficiaries who rely on our platform. Updated as our practices evolve — last reviewed July 2026.
HIPAA compliance
How we treat protected health information.
Senior Simple is built to support the Medicare brokerage workflow, which routinely touches sensitive client information. We operate the platform under HIPAA-aligned controls: encrypted transport, encrypted storage, role-based access, audit logging, and a Business Associate Agreement available to agencies on request.
Every infrastructure sub-processor that processes protected health information on our behalf is required to sign a Business Associate Agreement. Our detailed sub-processor list is available to customers and partners on request at security@seniorsimple.io.
PHI is never sent to third-party large-language-model providers. When AI features process client data, identifying fields are stripped server-side before any external call; linkage stays inside our boundary.
Security safeguards
The controls we have in place to protect your data.
Access control & unique user identification
Every user signs in with a unique identity. Access is role-based and least-privilege, and each agency's data is isolated from every other agency's at the database level.
In placeEncryption in transit
All data is encrypted in transit using TLS.
In placeEncryption at rest
All stored data is encrypted at rest by our database platform.
Provider-managedAudit controls
Every action that touches client data is recorded in an immutable audit trail, retained for seven years.
In placeAuthentication
Sign-in follows current NIST guidance, including screening passwords against known breach databases.
In placeAutomatic logoff
Sessions automatically time out after a period of inactivity.
In placeSecrets handling & log redaction
Secrets are redacted from logs at the write boundary, and application logs stay within our own infrastructure.
In placeAccess management & least privilege
Role-based access with per-agency isolation enforced on every request.
In placeFacility access controls
Data-center physical security, surveillance, and environmental controls are provided by our cloud platforms under their own HIPAA / SOC 2 programs.
Provider-managedMedia disposal & re-use
Secure disposal and sanitization of storage media.
Provider-managed
Security contact
Reach us with security questions or to report a vulnerability.
Email security@seniorsimple.io. We acknowledge security reports within one business day and coordinate disclosure with researchers in good faith.
Data residency
Where your data lives.
All customer data is stored and processed in data centers located in the United States — on Supabase (Postgres + Storage) and Vercel's US infrastructure. We do not host, replicate, or process customer data outside the United States.
Authorized Senior Simple personnel may remotely operate and support these US-based systems, and may occasionally do so from outside the United States, solely for administration, support, and incident response — always over secured, access-controlled connections (such as VPN or SASE) and under the minimum-necessary principle. Such remote access does not change where your data is stored or processed.
Status and incident history
Recent disruptions and our response.
No incidents reported in the trailing twelve months. A public status page is in development and will be linked here when available.