BEVAYA
Trust and Security.
Trusted by leading P&C carriers, brokers, and TPAs
.png?width=300&name=progressive-fleet%20-%20black%20(1).png)
Our approach
Built for an industry where one wrong field has a downstream cost.
Security
Keep policyholder data safe from bad actors.
Bevaya is SOC 2 Type 2 attested, independently audited every year. All data is encrypted end-to-end with 256-bit AES, both in transit and at rest.
We perform annual penetration testing on production applications and quarterly access-control reviews across our systems.
Type 2
Privacy
Your data is yours.
The boundary is real.
Each customer's data lives inside its own logical boundary on the platform. Customer data is never shared with another customer, and your data never appears as another customer's output.
Our privacy commitments are documented in our Privacy Policy .
Governance
Every decision is traceable.
Every action is logged.
Every workflow on the platform runs as a published, versioned flow. Only published versions execute in production. Role-based access control is enforced at organization, workspace, and project scope. Secrets are stored encrypted, masked in every UI view, and redacted from every run log.
Our patented human-in-the-loop review is the final governance layer: low-confidence work is routed to a human reviewer before any downstream action. Every review, edit, and approval is captured in an immutable audit log with actor, action, resource, and timestamp.
Responsible AI
Our commitment to Responsible AI.
Insurers must prioritize fairness and transparency to make unbiased, fact-based AI decisions. Bevaya simplifies this with an ethical AI framework built on eight core principles — ensuring explainable decisions, strong data protection, and ongoing improvement to maintain trust and compliance.
Learn about Responsible AI →- Explainability
- Fairness
- Transparency
- Data Protection
- Human Oversight
- Continuous Improvement
- Accountability
- Compliance
FAQ
Frequently asked questions.
Bevaya is SOC 2 Type 2 attested, independently audited every year against the Trust Services Criteria for Security, Availability, and Confidentiality. Annual penetration testing on production applications. Quarterly access-control reviews across our systems.
Bevaya is hosted on Microsoft Azure, with select services running on Google Cloud Platform. Both providers hold their own enterprise-grade security attestations. Customer data is stored in US-based data centers with geographic redundancy across multiple availability zones.
No. Bevaya is SaaS only, by design. Our Azure-native architecture is the cloud most of our customers already trust for their other enterprise workloads.
All data is encrypted end-to-end with 256-bit AES. Data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted on storage and disk using AES-256. User credentials are one-way hashed.
Through SSL-encrypted API calls with IP whitelisting. No tunnels or extra infrastructure to maintain on your side.
Role-based access control is enforced at organization, workspace, and project scope. Customer administrators manage their own team's access. Cross-scope access is denied by default. Access changes are logged immutably.
The AI never makes a final call on low-confidence work without a human reviewing it. The work item is routed to a human reviewer before any downstream system is touched. Every review, edit, and approval is captured in an immutable audit log.
Every workflow is a versioned, published flow. Only published versions execute in production. The version that ran on a work item is recorded with the rules and model that applied. Secrets are stored encrypted, masked in the UI, and redacted from run logs.
Bevaya targets 99.9%+ availability with geographically distributed infrastructure and redundancy across multiple Azure availability zones. The production environment is monitored 24/7 with automated alerting and on-call rotation. Specific service-level commitments are documented in the customer contract.
Production backups are taken daily and weekly across multiple Azure data centers. Backups are retained for up to 35 days during the contract term.
Bevaya runs a prioritized incident response protocol with prompt remediation, root-cause analysis, and direct customer communication. Affected customers are notified within the timeframes set in their contract.
Customer data is securely deleted following the retention period specified in the contract. Bevaya provides written confirmation of destruction. Production backups containing customer data are removed on the same schedule, within the 35-day retention window.
No vendor can. Compliance is your organization's obligation. What Bevaya provides are the controls that make it easier to meet: SOC 2 Type 2 attestation, immutable audit trails, role-based access, flow versioning, and patented human-in-the-loop.
GET STARTED
Ready to design, deploy, and govern your AI workforce?
Bevaya AI Agents can help you triage, analyze, and recommend across underwriting, claims, and policy servicing.
Let's connect and show you how it works.