Belong Benefits

Security & Trust

Last Updated:June 8, 2026

Our commitment

Belong Benefits helps insurance brokers turn benefit documents into clear, shareable guides for employees. That means we handle information brokers and their clients care deeply about — plan details, contact information, and the documents behind them. Protecting that data is foundational to the product, not an afterthought. This page describes the controls we have in place today.

SOC 2 Type II readiness is in progress. We are formalizing the policies and independent audit that accompany the technical controls described below.

Infrastructure & data protection

  • Encryption in transit: all traffic is served over HTTPS with TLS 1.2+. HTTP requests are redirected to HTTPS, and HSTS is enabled with preload.
  • Encryption at rest: databases and uploaded documents are encrypted at rest (AES-256) by our infrastructure providers.
  • Reputable, compliant infrastructure: we build on providers that maintain their own SOC 2 (and in several cases HIPAA/HITRUST) attestations — see Subprocessors below. Production data is hosted in the United States.
  • Secrets management: API keys and credentials are stored as environment secrets, never committed to source control, and never exposed to the browser.

Application security

  • Tenant isolation: every database query is scoped to the requesting organization. Brokers can only ever see their own clients, plans, and documents.
  • Authentication on every protected route: access to broker data requires an authenticated session; public benefit guides are gated by unguessable links and publish/expiry controls.
  • Input validation: all incoming requests are schema-validated before any data is processed, and all database access uses parameterized queries (no string-built SQL).
  • Hardened browser policy: a strict Content-Security-Policy, anti-clickjacking (frame-ancestors), MIME-sniffing protection, and a least-privilege Permissions-Policy are enforced on every response.
  • Rate limiting: public endpoints, including the assistant chat, are rate-limited per client to prevent abuse.
  • Automated enforcement: security rules (authorization, input validation, safe data handling) are checked automatically on every code change and must pass before anything ships.

AI & document handling

  • We use enterprise AI providers to extract plan data from documents and to power the employee-facing assistant. Content extracted from documents is sanitized before it reaches any AI prompt.
  • Your data is not used to train third-party foundation models. AI providers act as subprocessors under contract and process data only to deliver the service.
  • The assistant is scoped to a single published guide and cannot access other organizations’ or clients’ data.

Access control & monitoring

  • Least-privilege access: internal access to systems and customer data is limited to what a role requires.
  • Monitoring: application errors and anomalies are continuously monitored, with alerting for issues that could affect availability or integrity.
  • Incident response: we maintain a process to investigate, remediate, and — where required — notify customers of security incidents.

Compliance

Belong Benefits is actively pursuing SOC 2 Type II. The technical controls above are already in place; the remaining work is the formal policy program and independent audit. If you are evaluating us and need security documentation, a questionnaire completed, or a mutual NDA, contact us at jack.t@insaber.com.

Subprocessors

We use the following providers to deliver the service. Each maintains its own security program and compliance attestations.

  • Vercel — application hosting and delivery
  • Supabase — database and authentication
  • Cloudflare R2 — document and media storage
  • Anthropic — AI document extraction and assistant
  • OpenRouter — AI provider failover
  • Sentry — error monitoring
  • Inngest — background job processing
  • Resend — transactional email

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@insaber.com with details and steps to reproduce. Please give us a reasonable opportunity to investigate and remediate before any public disclosure, and avoid accessing or modifying data that is not your own. Our disclosure policy is published at /.well-known/security.txt.

Contact

Questions about our security program? Reach out:

STS Ventures LLC (d/b/a Belong Benefits)
Austin, Texas
Email: jack.t@insaber.com
Website: hellobelong.com