Security & Compliance Statement
AegisSage is engineered for HIPAA-aligned Medicare broker operations. This statement details our data protection practices, legal obligations, and broker responsibilities.
Last updated: May 5, 2026
AES-256-GCM
Data Encryption at Rest
HIPAA BAA
Business Associate Agreement
10-Year Retention
CMS Mandated Record Keeping
01. Data Encryption (AES-256-GCM)
Field-Level & At-Rest Protection
Field-Level Encryption
Protected Health Information (PHI) fields -- including Medicare Beneficiary Identifiers (MBI), dates of birth, and phone numbers -- are encrypted individually using AES-256-GCM with unique IVs per field. Keys are derived via PBKDF2 (100,000 iterations, SHA-256) from a master secret stored in Firebase Secret Manager. This means each field requires its own decryption operation.
Encryption at Rest
All Firestore databases are encrypted at rest using Google-managed AES-256 keys. PHI blobs stored in Google Cloud Storage are protected with Customer-Managed Encryption Keys (CMEK). No plaintext PHI is ever written to any persistent storage layer.
In-Transit Encryption
All client-to-server communication is protected by TLS 1.3. Webhook payloads from CRM integrations (GoHighLevel, EnrollHere) are verified via HMAC-SHA256 signature on the x-webhook-signature header before processing begins.
Minimum Necessary Standard
Per HIPAA §164.514(d), AegisSage applies the minimum necessary standard to all PHI access. Operational metadata (plan IDs, retention scores, status flags) is stored separately from PHI. AI risk-scoring flows operate exclusively on non-PHI operational data.
02. HIPAA BAA Availability
Business Associate Agreement -- Required for Platform Access
AegisSage functions as a Business Associate under HIPAA (45 CFR §160.103) when processing Protected Health Information on behalf of Covered Entities (Medicare insurance brokers and agencies). All agencies accessing PHI functionality must have an executed Business Associate Agreement on file before platform access is granted.
Safeguard PHI
Administrative, physical, and technical safeguards per §164.310-164.312
Report Breaches
Notify covered entity within 60 days of PHI breach discovery per §164.410
Subcontractor BAAs
Flow-down BAA obligations to all subprocessors handling PHI
Agencies that have not executed a BAA will not be granted access to PHI-adjacent features, including the Integrity Engine, CSV ingestion, and Blue Button 2.0 integration. Contact compliance@aegissage.com to initiate the BAA execution process.
03. CMS 10-Year Record Retention Policy
TPMO Regulation -- 42 CFR §422.2274 & §423.2274
Mandatory for All Licensed TPMOs
Under CMS final rules effective 2024 (and reinforced for 2026), all Third-Party Marketing Organizations (TPMOs) must retain records of Medicare beneficiary interactions for a minimum of 10 years. This includes call recordings, Scope of Appointment forms, enrollment documents, and all marketing materials.
Call Recordings
All sales calls must be recorded and retained for 10 years. AegisSage integrates with Maya AI Voice to auto-archive and timestamp each call with the associated member record.
42 CFR §422.2274(c)(1)
Scope of Appointment (SOA)
SOA forms must be completed 48 hours before an enrollment meeting and retained for 10 years. AegisSage generates, digitally signs, and cryptographically hashes all SOA documents.
42 CFR §422.2262
Marketing Materials
All marketing materials, including digital assets and CRM campaigns, must be pre-approved by the carrier and retained for 10 years. AegisSage logs all outreach events in an immutable audit trail.
42 CFR §422.2274(b)
Terms of Service
Legal framework for the AegisSage Medicare Retention Platform.
01.Licensure Requirement
By registering, users represent that they are licensed Medicare insurance agents in good standing with a valid National Producer Number (NPN) on file with the National Insurance Producer Registry (NIPR). AegisSage reserves the right to verify licensure at any time and suspend accounts where licensure cannot be confirmed.
02.Agency Responsibility & CMS Compliance
Agencies are solely responsible for ensuring that all AI-assisted outreach, VCC fax submissions, SOA generation, and enrollment recommendations comply with applicable CMS regulations, carrier guidelines, and state insurance law. AegisSage provides tools -- the licensed broker retains full professional responsibility for client interactions.
03.TPMO Obligations
By using the platform, all users agree to comply with CMS TPMO rules including: recording all sales calls and retaining recordings for 10 years; completing Scope of Appointment forms at least 48 hours before enrollment meetings; using only CMS-approved marketing language; and disclosing TPMO status to all beneficiaries at the point of first contact.
04.Subscription & Billing
Plans are billed monthly or annually as selected at signup. Cancellations take effect at the end of the current billing cycle. No partial refunds are issued for unused time. All payment transactions are processed via our BAA-compliant payment processor using PCI-DSS Level 1 infrastructure.
05.BAA Requirement
Access to PHI-adjacent features (Integrity Engine, CSV ingestion, Blue Button 2.0, member health records) is contingent upon the Agency having a signed Business Associate Agreement on file with AegisSage Intelligence Inc. Contact compliance@aegissage.com to initiate.
06.Prohibited Uses
The platform may not be used to: (i) market non-Medicare insurance products without carrier authorization; (ii) access or export PHI for purposes beyond direct member care coordination; (iii) share platform access credentials with unlicensed individuals; (iv) circumvent CMS or NIPR oversight mechanisms; or (v) use AI-generated content in regulatory submissions without human review.
Privacy Policy
How AegisSage collects, uses, and protects your data.
01.Data We Collect
We collect: (i) broker account information (name, email, NPN, phone, agency name); (ii) member operational metadata (plan IDs, enrollment periods, retention scores) -- no PHI in this layer; (iii) PHI provided for processing (MBI, DOB, phone) -- stored exclusively in the encrypted phi_vault and members collections; (iv) usage analytics (page views, feature interactions) in anonymized form.
02.How We Use Your Data
Broker account data is used to authenticate users and enforce agency-level access controls. Member operational data powers AI risk scoring, switch detection, and retention recommendations. PHI is processed solely for the purpose of facilitating Medicare insurance broker services on behalf of the covered entity (your agency). We do not sell, rent, or share data with third parties for marketing purposes.
03.Data Retention & Deletion
Account data is retained for the duration of the subscription plus 90 days post-cancellation. PHI is retained for the CMS-mandated 10-year period or longer if required by state law. Brokers may request PHI deletion via the Admin SDK right-of-erasure workflow; note that deletion requests may be subject to regulatory retention requirements that supersede the request.
04.Cookies & Tracking
AegisSage uses only essential session cookies required for Firebase Authentication. No third-party advertising trackers, behavioral profiling cookies, or cross-site tracking pixels are deployed. Analytics data is collected via anonymized server-side event logging only.
05.Your Rights
Brokers have the right to: access their account and agency data; correct inaccurate information; request data portability in JSON or CSV format; request deletion subject to retention requirements. For requests, contact privacy@aegissage.com. Responses will be provided within 30 days.
Questions About Compliance?
Our compliance team is available to assist with BAA execution, NIPR verification, CMS audit preparation, and regulatory questions.