Security

Root hosts platform data in AWS-managed data centers that have, among other things, been certified as ISO 27001, PCI-DSS and SOC2 compliant. AWS implements a number of measures to protect the logical and physical security of their data centers and managed cloud infrastructure.

Our network is protected by a range of key AWS security services, firewalls and other technologies that monitor and block known malicious traffic and network attacks.

All communications with the Root Insurance Platform and APIs are encrypted via industry standard HTTPS/TLS over public networks. This means that all traffic between our customers (and their personnel) and the Root Insurance Platform is secure during transit. All platform data is also encrypted at rest in AWS using AWS-256 key encryption.

Access to Root’s production infrastructure is limited to personnel on a need-to-know basis in line with the principle of least privilege. Employees accessing the Root Insurance Platform are required to use multiple factors of authentication.

Our software developers are required to be familiar with secure coding practices, including secure by design principles and the OWASP Top 10 security risks, and all code deployed to production is extensively peer-reviewed.  Development and staging environments are logically separated from the production environment.

We employ third-party security tooling to scan our platform and code against common web application security risks. Any discovered issues are remediated by our engineering teams. Root also utilises a host of monitoring software to identify and evaluate, among other things, system performance, security threats and unusual system activity.

Root maintains a public status page, which provides real-time platform and API availability details, notifications of scheduled or emergency maintenance, incident history and relevant security events. We highly recommend users subscribe to our statuspage for email notifications. Our robust backup regime allows us to deliver a high level of service availability.

Our disaster recovery and business continuity programs ensure that our services remain available as far as possible and are easily recoverable in the case of a disaster. We accomplish this by building a hardened technical environment and testing activities. 

Users are authenticated via individually assigned accounts and valid 2-factor authentication (2FA) token prior to being granted access to Root. Passwords must conform to our minimum password requirements.  We strongly encourage users to use a password manager and not share credentials.

By default, your data is hosted in a multi-tenanted AWS environment leveraging multiple availability zones to support high availability in infrastructure. You may, however, provision a private instance of the Root Insurance Platform in an AWS region of your choice. Please speak to your sales executive or Root contact for more information. 

Root has defined and thorough risk management processes to regularly identify and manage risks that may affect our ability to provide reliable services to our clients.

We have undergone a SOC2 Type 1 audit of our internal security controls. Our latest audit report is available on request to clients and under NDA. Please visit our Trust Center to access a copy of the report.