Security and Trust
Monark handles sensitive benefits data on behalf of brokers, carriers, and employers. Security isn't an afterthought — it's built into every layer of the platform.
This page answers the most common questions about how Monark protects your data.
Is Monark HIPAA-compliant?
Yes. Monark runs on enterprise-grade infrastructure that is HIPAA-eligible under Business Associate Agreement (BAA), including SOC 2 Type II certified and ISO 27001 certified platforms. Monark operates under BAA coverage across its infrastructure stack.
Is my data encrypted?
Yes — at every layer.
- In transit: All data transmitted to and from Monark is encrypted using TLS 1.2 or higher. This applies to every connection — internal, external, and every third-party integration. No exceptions.
- At rest: All data stored in Monark — including proposal attachments, census data, and documents — is encrypted using AES-256 encryption.
- Sessions: User sessions are encrypted and time-limited. Even in the event of a compromised session, access is strictly scoped and cannot be escalated.
How does login work — is it secure?
Monark uses passwordless authentication via magic links. There are no passwords to steal, guess, or reuse.
This means Monark never stores, transmits, or validates a password — eliminating the most common causes of SaaS data breaches, including credential stuffing, brute force attacks, and password reuse.
Magic links are encrypted, tied to the recipient's email address, and expire automatically after a set period.
Can one broker agency see another agency's data?
No. Every broker agency on Monark is completely isolated. Your accounts, groups, proposals, census data, quotes, and team members are never visible to any other organization on the platform. Access controls are enforced at the server level on every request — not just in the user interface.
Can carrier reps see other carriers' offers or my clients' data?
No. Carrier representatives can only see:
- RFPs that have been explicitly sent to them by a broker
- Their own submitted offers
Carrier reps cannot see competing offers, broker account details, proposal contents, or individual employee data. They only see group-level census summaries — never individual member records.
What data does Monark collect?
Monark collects only what is necessary to support the quoting and benefits workflow:
- Employee and dependent demographics (name, date of birth, ZIP code, relationship)
- Employment data (job class, coverage tier)
- Current coverage names (for renewals)
Monark does not collect or store:
- Claims history
- Clinical data or diagnoses
- Prescription information
- Social Security Numbers
- Biometric data
Minimum-necessary data collection is both a compliance principle and a product design decision.
How is AI used in Monark — and is it safe?
Monark uses AI in a narrow, well-defined way: to extract and structure data from carrier PDFs and Excel files, saving brokers time on manual data entry.
Importantly:
- AI is never used to make eligibility decisions, calculate rates, or answer compliance questions
- Every AI extraction is reviewed by the broker in a human-review interface before anything is saved
- All AI processing occurs under BAA-covered infrastructure
- Final quote math, contribution calculations, and ACA rules are handled by deterministic, audited code — not AI
Is there an audit trail of activity?
Yes. Monark maintains detailed audit logs for all high-risk actions, including:
- Quote creation, updates, and status changes
- Plan additions and removals
- Contribution changes
- Document access
All logs capture the user, timestamp, IP address, and a before/after record of what changed.
How are API keys and credentials managed?
All credentials — API keys, database access, and encryption keys — are stored in platform-managed secret stores. They are never stored in source code or application logs, and are rotatable on demand.
Who should I contact with security questions?
For security-related questions, reach out to the Monark team directly via chat at monarkhq.com or book a call with us.