Trust Center

Security and trust at Senior Simple

How we protect the agencies, agents, and Medicare beneficiaries who rely on our platform. Updated as our practices evolve — last reviewed July 2026.

HIPAA compliance

How we treat protected health information.

Senior Simple is built to support the Medicare brokerage workflow, which routinely touches sensitive client information. We operate the platform under HIPAA-aligned controls: encrypted transport, encrypted storage, role-based access, audit logging, and a Business Associate Agreement available to agencies on request.

Every infrastructure sub-processor that processes protected health information on our behalf is required to sign a Business Associate Agreement. Our detailed sub-processor list is available to customers and partners on request at security@seniorsimple.io.

PHI is never sent to third-party large-language-model providers. When AI features process client data, identifying fields are stripped server-side before any external call; linkage stays inside our boundary.

Security safeguards

The controls we have in place to protect your data.

  • Access control & unique user identification

    Every user signs in with a unique identity. Access is role-based and least-privilege, and each agency's data is isolated from every other agency's at the database level.

    In place
  • Encryption in transit

    All data is encrypted in transit using TLS.

    In place
  • Encryption at rest

    All stored data is encrypted at rest by our database platform.

    Provider-managed
  • Audit controls

    Every action that touches client data is recorded in an immutable audit trail, retained for seven years.

    In place
  • Authentication

    Sign-in follows current NIST guidance, including screening passwords against known breach databases.

    In place
  • Automatic logoff

    Sessions automatically time out after a period of inactivity.

    In place
  • Secrets handling & log redaction

    Secrets are redacted from logs at the write boundary, and application logs stay within our own infrastructure.

    In place
  • Access management & least privilege

    Role-based access with per-agency isolation enforced on every request.

    In place
  • Facility access controls

    Data-center physical security, surveillance, and environmental controls are provided by our cloud platforms under their own HIPAA / SOC 2 programs.

    Provider-managed
  • Media disposal & re-use

    Secure disposal and sanitization of storage media.

    Provider-managed

Security contact

Reach us with security questions or to report a vulnerability.

Email security@seniorsimple.io. We acknowledge security reports within one business day and coordinate disclosure with researchers in good faith.

Data residency

Where your data lives.

All customer data is stored and processed in data centers located in the United States — on Supabase (Postgres + Storage) and Vercel's US infrastructure. We do not host, replicate, or process customer data outside the United States.

Authorized Senior Simple personnel may remotely operate and support these US-based systems, and may occasionally do so from outside the United States, solely for administration, support, and incident response — always over secured, access-controlled connections (such as VPN or SASE) and under the minimum-necessary principle. Such remote access does not change where your data is stored or processed.

Status and incident history

Recent disruptions and our response.

No incidents reported in the trailing twelve months. A public status page is in development and will be linked here when available.