Information Security Policy

Effective April 30, 2026 · Version 1.0

External Summary for Clients, Surety Partners, and Detention Facilities

1. Executive Summary

Submit Bonds, LLC ("Submit Bonds") operates a secure platform for the submission, review, and management of bail bond information among licensed bail bond agents, detention facilities, surety carriers, and authorized government personnel. This document describes the security controls, practices, and standards we maintain to protect the confidentiality, integrity, and availability of information processed through the Submit Bonds Platform.

This policy is provided to clients, surety partners, detention facilities, and authorized regulators to support their own due diligence, vendor risk reviews, and compliance obligations. It reflects the current state of our security program; specific control details are available under non-disclosure agreement.

2. Scope & Framework Alignment

This policy applies to all systems, infrastructure, applications, and data that comprise the Submit Bonds Platform, including the production web application, API endpoints, supporting databases, file storage, identity verification systems, and operational tooling.

Submit Bonds aligns its security program with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which organizes security controls across five functions: Identify, Protect, Detect, Respond, and Recover. The mapping below shows where each function is addressed in this policy.

NIST CSF FunctionFocusThis Policy
Identify (ID)Asset inventory, risk assessment, governance§3, §4
Protect (PR)Access control, encryption, training, data security§5, §6, §7, §9
Detect (DE)Continuous monitoring, audit logging, anomaly detection§8, §10
Respond (RS)Investigation, communication, mitigation procedures§11
Recover (RC)Backup, restoration, business continuity§12
Framework note. NIST CSF is a voluntary framework widely adopted by U.S. government agencies, regulated industries, and law enforcement-adjacent platforms. Submit Bonds uses CSF as its primary control framework because of its broad recognition by detention facility IT teams, state insurance regulators, and surety underwriters.

3. Security Governance

Security is a continuous, organization-wide responsibility. Submit Bonds maintains:

  • Documented security policies reviewed at least annually by leadership
  • A designated security owner accountable for the overall security program
  • Defined roles and responsibilities for system administration, development, and operations
  • A risk assessment process that informs control prioritization and remediation
  • Segregation of duties across development, deployment, and production access
  • Regular security awareness training for all personnel with Platform access

4. Asset & Data Management

Submit Bonds maintains an inventory of systems, applications, and data assets that comprise the Platform. Data handled by the Platform is classified into sensitivity tiers, with controls applied proportionate to sensitivity.

Data classifications

  • Public — non-sensitive marketing or documentation content
  • Internal — operational data not intended for public release
  • Confidential — User credentials, session data, audit logs, business records
  • Restricted — Government-issued identification, biometric verification data, defendant information, financial account references, surety power-of-attorney records

Restricted data receives the strongest protections, including application-layer encryption, strict access controls, and mandatory audit logging on every access.

5. Access Control & Authentication

Access to the Submit Bonds Platform is controlled through a layered authentication and authorization model.

User authentication

  • All Platform access requires authenticated user accounts; anonymous access to non-public functions is not permitted
  • Strong password requirements enforced (minimum length, complexity, breach-list screening)
  • Multi-factor authentication available for all User roles and required for administrative access
  • Session timeouts limit the lifetime of active sessions
  • Account lockout protections defend against credential-stuffing and brute-force attacks

Role-based access

Users are assigned to roles based on their authorized function — bail bond agent, detention facility personnel, surety carrier representative, or authorized administrator. Each role grants only the data access and system functions required for that role's purpose.

  • Principle of least privilege applied to all User roles and internal staff access
  • Administrative privileges granted only to identified personnel with documented business need
  • Access reviews performed periodically to identify and remove stale privileges
  • Account provisioning and deprovisioning follow documented procedures tied to role changes and termination events

Identity verification

New User registration includes identity verification appropriate to the User's role, which may include government-issued ID validation, license verification against state regulator records (such as Florida DFS), and biometric verification through trusted third-party identity providers.

6. Encryption & Data Protection

Submit Bonds protects data in transit and at rest using industry-standard cryptographic controls.

Data StateProtection StandardApplies To
Data in transitTLS 1.2 or higherAll Platform endpoints
Data at restAES-256Database, file storage, backups
Sensitive fieldsApplication-layer encryptionIdentity documents, biometric data
Passwordsbcrypt or Argon2 (one-way hashing)Never stored in plaintext
Session tokensSigned, expiring JWT or equivalentBound to IP/UA where possible
  • Cryptographic keys are managed through a secure key management system with restricted access
  • Keys are rotated periodically in accordance with industry guidance
  • Deprecated cryptographic protocols (SSL, TLS 1.0, TLS 1.1) are not accepted on Platform endpoints
  • Sensitive identifiers are masked or tokenized in user interfaces and logs where the full value is not required

7. Infrastructure & Network Security

The Submit Bonds Platform operates on commercial cloud infrastructure provided by reputable enterprise-grade providers with their own published security certifications. Submit Bonds layers additional controls on top of provider-level security.

Network protection

  • Production environment isolated from development and test environments
  • Web application firewall (WAF) protections against common attack patterns (OWASP Top 10)
  • DDoS mitigation provided by infrastructure-level protections
  • Restricted ingress and egress through defined network rules
  • Bot and scraping protections to detect and block automated abuse

Secure development

  • Code is version-controlled with required peer review before merge to production branches
  • Automated dependency scanning identifies known vulnerabilities in third-party libraries
  • Static and dynamic application security testing integrated into the development pipeline where applicable
  • Secrets, API keys, and credentials are stored in dedicated secret-management systems and never committed to source code
  • Production deployments require authenticated, logged actions

8. Monitoring & Audit Logging

Submit Bonds operates continuous logging and monitoring across the Platform to detect and investigate suspicious activity. As stated in the Submit Bonds Terms of Service, all Platform activity is logged.

What is logged

  • Authentication events (logins, login failures, password changes, MFA challenges)
  • Bond submissions, status changes, and administrative actions
  • Data access events for restricted-tier data
  • Configuration changes to security-relevant systems
  • Network and infrastructure events relevant to security

How logs are protected

  • Logs are stored in tamper-evident systems separated from the application that generated them
  • Log retention follows defined retention periods aligned with regulatory and contractual requirements
  • Access to raw logs is restricted to authorized security personnel
  • Log review processes detect anomalies, repeated failures, and indicators of misuse
For regulators and partners. Audit logs support investigations into suspicious bond submissions, fraudulent power-of-attorney use, and other activity requiring forensic review. Submit Bonds will cooperate with lawful investigative requests from regulatory authorities, surety partners, and law enforcement, subject to applicable legal process.

9. Personnel Security

People are an essential layer of any security program. Submit Bonds applies controls to its personnel commensurate with their access to systems and data.

  • Background screening performed on personnel with access to production systems or restricted data, where permitted by law
  • Confidentiality and acceptable-use obligations apply to all personnel and contractors
  • Security awareness training delivered at onboarding and refreshed periodically
  • Phishing-resistant authentication required for production system access
  • Access is revoked promptly upon role change or termination

10. Vulnerability Management

Submit Bonds maintains an active program to identify, prioritize, and remediate security vulnerabilities.

  • Regular vulnerability scanning across application, infrastructure, and dependency layers
  • Patch management process for operating systems, application frameworks, and third-party libraries
  • Severity-based remediation timelines, with critical vulnerabilities prioritized for rapid resolution
  • Periodic third-party security assessments to validate the effectiveness of internal controls
  • A coordinated disclosure pathway for security researchers to report potential vulnerabilities responsibly

11. Security Event Response

Submit Bonds maintains documented procedures to respond to suspected security events. While the operational details of those procedures are not published in this external summary, the following summary describes our approach:

  • Defined roles for responding to suspected security events
  • Investigation and containment procedures appropriate to event severity
  • Communication procedures for notifying affected parties when required by law or contract
  • Post-event review and remediation tracking to prevent recurrence

Detailed incident response and breach notification procedures are available to clients and partners under non-disclosure agreement and as required by applicable contractual obligations.

12. Business Continuity & Recovery

Submit Bonds maintains procedures to preserve the availability of the Platform and to recover operations in the event of disruption.

  • Production data is backed up regularly to durable, geographically separated storage
  • Backup integrity is verified periodically through restoration testing
  • Critical infrastructure is configured for redundancy where practical
  • Documented recovery procedures define responsibilities and target recovery times
  • Recovery procedures are reviewed and updated as the Platform evolves

13. Privacy & Regulatory Alignment

This Security Policy supports, but does not replace, the Submit Bonds Privacy Policy and Terms of Service. Submit Bonds operates in accordance with applicable U.S. federal and state laws governing the protection of personal information, including the laws of jurisdictions where the Platform is in active use.

Where Submit Bonds processes information subject to specific legal or regulatory requirements (for example, state-issued identification data, biometric records, or financial account information), additional controls are applied as appropriate to satisfy those requirements.

14. Shared Responsibility & Client Obligations

Information security is a shared responsibility between Submit Bonds and the Users of its Platform. While Submit Bonds is responsible for the security of the Platform itself, Users are responsible for safeguarding their own access and the data they submit. Specifically, Users must:

  • Maintain the confidentiality of their account credentials and not share login information
  • Enable multi-factor authentication where offered
  • Promptly report suspected unauthorized access or compromise of their account
  • Submit only information they are legally authorized to submit
  • Comply with the Submit Bonds Terms of Service, Submission Guidelines, and any applicable laws governing their role

15. Contact & Further Information

Questions regarding this Security Policy, requests for additional control detail under non-disclosure agreement, or reports of suspected security issues may be directed to Submit Bonds through the contact information published at www.submitbonds.com.

Coordinated vulnerability disclosure: security researchers are invited to report suspected vulnerabilities through the responsible disclosure channel published on the Submit Bonds website. Submit Bonds will acknowledge receipt and engage in good-faith communication during investigation.

16. Changes to This Policy

This Security Policy is reviewed at least annually and updated as the Platform, threat landscape, or applicable regulations evolve. The current version is always available at www.submitbonds.com. Material changes will be communicated to clients and partners through the Platform or other reasonable means.

Related policies

© Submit Bonds, LLC. This document is provided for informational purposes to support client and partner due diligence. It does not constitute a representation of every control in place, nor does it create or modify any contractual obligations.

Questions about our security posture? Reach our team through the support contact form. This page is reviewed at least annually and whenever material controls change.