Security Overview

Socotra is committed to providing a secure platform for modern insurance operations. Our security model is built to protect sensitive policyholder data, support enterprise governance, and align with industry best practices — all without compromising flexibility for development, configuration, and integration.

This section of the documentation provides a comprehensive look at the security architecture, features, and tools available to product owners, developers, and administrators across the platform.

Who Should Read This

This documentation is relevant to:

  • Security and compliance teams

  • Developers and system integrators

  • IT administrators and tenant operators

  • Product owners and data governance leads

Core Principles

We approach security with the following principles in mind:

  • Least Privilege by Default - Users should only be assigned permissions that are strictly necessary to complete their work.

  • Auditable and Transparent - Every significant system action is logged and traceable.

  • Configurable and Enforceable - Security controls are flexible enough to meet tenant-specific needs while maintaining baseline protections.

  • Defense in Depth - Multiple layers of controls, from authentication and encryption to data masking and anonymization.

Topics Covered

This section includes detailed documentation on the following topics:

  • Authentication and Identity - Overview of supported authentication methods, including native login, SSO, and Personal Access Tokens.

  • Role-Based Access Control (RBAC) - Tenant-specific roles and permissions to control access across UI, API, and data layers.

  • Comprehensive Permissions Listing - A complete overview of all available permissions in the Socotra Insurance Suite.

  • Personal Access Tokens - A secure alternative to password-based authentication for software integrations, scripts, and AI agents.

  • Audit Logging - Full visibility into changes made by users and automated processes for traceability and governance.

  • Secure Deployment - Guidance and tooling to ensure secure deployment of code and infrastructure across environments.

  • Encryption - Overview of encryption at rest and in transit, including encryption protocols and secrets management.

  • Password Policies - Configurable password policies, mandatory password policies, and best practices for password management.

  • Security Standards and Regulations - Security standards, certifications, and regulatory requirements that support your security obligations.

  • PCI Compliance Position Statement - Socotra’s position on PCI Compliance.

Next Steps

Start with Authentication and Identity, or skip directly to the areas most relevant to your team.

For any security-related support or inquiries, reach out to your Socotra representative or email security@socotra.com.

If you haven’t already done so, make sure you’re able to log into Socotra and set up Postman to use the Socotra API.