Compliance & Security Documentation

Last updated: February 18, 2026

1. Overview

EnrollSure™ provides a HIPAA-compliant electronic signing and Medicare client intake platform designed for licensed insurance agents and their beneficiaries. Our platform enables secure collection of health information, digital execution of compliance documents (Scope of Appointment, Permission to Contact), and tamper-evident document signing with comprehensive audit trails. This document describes the technical and procedural controls that ensure the integrity, authenticity, and legal validity of electronically signed documents processed through EnrollSure™.

2. Electronic Signing Process

Every document signing event follows a structured process designed to establish signer identity, capture intent, and produce a tamper-evident record:

  1. Secure Link Delivery: The agent sends a unique, time-limited signing link to the beneficiary via email. Each link contains a cryptographically random identifier and has a configurable expiration period.
  2. Email Open Tracking: When the recipient opens the email, a tracking pixel records the timestamp, IP address, and user agent of the email client. This establishes delivery confirmation.
  3. Document Access: The beneficiary opens the signing link and views the document in a secure, browser-based viewer. The system records the "opened" and "started" events with timestamps and attribution data.
  4. Identity Verification (Optional): The signer may verify their identity via a one-time passcode (OTP) sent to their email address. The 6-digit OTP expires after 10 minutes and is protected against brute-force attacks (maximum 5 attempts).
  5. E-Consent Capture: Before signing, the signer must explicitly check a consent box confirming they agree to receive and sign documents electronically. This consent is timestamped and recorded.
  6. Signature Capture: The signer draws their signature or initials on the document using a digital signature pad. The signature image is captured as a PNG and embedded into the PDF.
  7. Audit Trail Generation: A complete audit trail page is appended to the signed PDF documenting the entire signing event, including all hashes, attribution data, and verification status.
  8. Document Finalization: The signed PDF is locked with metadata markers, hashed using SHA-256, and stored along with all attribution data in the database.

3. Document Integrity & Tamper Evidence

EnrollSure™ uses cryptographic hashing to ensure documents cannot be modified after signing without detection:

  • Original Document Hash (SHA-256): Before any signatures are applied, a SHA-256 hash of the original PDF is computed and stored. This allows verification that the base document was not altered before signing.
  • Signature Image Hash (SHA-256): The raw signature image data is independently hashed and stored. This proves the specific signature that was captured at signing time.
  • Signed Document Hash (SHA-256): After all signatures are embedded, the audit trail page is appended, and PDF metadata is locked, a final SHA-256 hash of the complete document is computed and stored. Any subsequent modification of the PDF will produce a different hash.
  • PDF Metadata Locking: The signed PDF's metadata (Title, Producer, Subject, Keywords) is set with finalization markers that indicate the document has been completed through the EnrollSure™ signing process. The Producer field records the platform version and the Subject field records the document identifier.

To verify a document's integrity, the PDF can be converted to base64, its SHA-256 hash computed, and compared against the stored signed document hash in the EnrollSure™ database. A match confirms the document has not been altered since signing.

4. Attribution & Non-Repudiation

Every signing event captures comprehensive attribution data to establish who signed, when, where, and from what device. This data supports non-repudiation and is recorded both in the database and on the audit trail page embedded in the PDF:

Data PointDescription
IP AddressThe signer's IP address, captured from request headers
TimestampISO 8601 timestamp of the signing event in UTC
User AgentBrowser and operating system identification string
Device FingerprintScreen resolution, timezone, language, platform, color depth, touch capability, and CPU cores
Geographic LocationCity, region, and country derived from IP geolocation lookup
E-ConsentExplicit checkbox consent with timestamp confirming agreement to electronic signing
OTP VerificationEmail one-time passcode verification status (when used)

5. Data Security & Encryption

EnrollSure™ implements multiple layers of security to protect data at rest and in transit:

Encryption in Transit

  • All connections use TLS 1.2+ with 256-bit AES encryption
  • HTTPS is enforced on all endpoints with HSTS headers
  • API requests between services are encrypted end-to-end

Encryption at Rest

  • Database (Neon PostgreSQL) uses AES-256 encryption at rest
  • All stored PDFs, signatures, and compliance documents are encrypted in the database
  • Backup data is encrypted using the same AES-256 standard

Authentication & Access Control

  • Passwords are hashed using bcrypt with a cost factor of 12 rounds
  • JWT-based authentication with secure, HTTP-only, SameSite cookies
  • Two-factor authentication (2FA) via email-based OTP
  • Automatic session timeouts after 30 minutes of inactivity
  • Role-based access control (RBAC) with Superadmin, Admin, and Agent roles
  • Multi-tenant data isolation ensures organizations cannot access other organizations' data

Application Security

  • Input validation via Zod schemas on all API endpoints prevents injection attacks
  • Prisma ORM generates parameterized queries, preventing SQL injection
  • Rate limiting on authentication and signing endpoints prevents brute-force attacks
  • Content Security Policy (CSP) headers prevent cross-site scripting (XSS)

6. HIPAA Compliance

EnrollSure™ is designed and operated in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule. The following controls address HIPAA requirements:

Administrative Safeguards

  • Role-based access controls enforce the minimum necessary standard for PHI access
  • Comprehensive audit logging tracks all access to and modifications of PHI
  • Business Associate Agreements (BAAs) are available for covered entities
  • Workforce training and access management procedures are maintained

Technical Safeguards

  • Unique user identification with individual accounts and credentials
  • Automatic session termination after inactivity periods
  • Encryption of ePHI in transit (TLS 1.2+) and at rest (AES-256)
  • Audit controls that record and examine activity in information systems containing ePHI
  • Integrity controls including SHA-256 document hashing to detect unauthorized alterations
  • Person or entity authentication via passwords, 2FA, and OTP verification

Physical Safeguards

  • Infrastructure hosted on Vercel and Neon, both of which maintain SOC 2 Type II compliance
  • No on-premise servers or physical media containing PHI
  • Cloud infrastructure providers maintain physical access controls and environmental safeguards

7. Database Compliance

EnrollSure™'s data layer is built on industry-standard technologies with strong compliance profiles:

Neon PostgreSQL

  • Fully managed, serverless PostgreSQL database
  • Data encrypted at rest using AES-256
  • SOC 2 Type II compliant infrastructure
  • Automated backups with point-in-time recovery
  • Network isolation with secure connection strings
  • All database connections require SSL/TLS

Prisma ORM

  • All queries are parameterized, preventing SQL injection attacks
  • Type-safe database access eliminates runtime type errors
  • Schema migrations are version-controlled and auditable
  • Connection pooling with secure credential management

8. CMS Regulatory Compliance

EnrollSure™ supports Medicare insurance agents in meeting Centers for Medicare & Medicaid Services (CMS) regulatory requirements:

Scope of Appointment (SOA)

  • Electronically generated SOA documents with beneficiary and agent information
  • Product type checkboxes per CMS requirements (Medicare Advantage, Part D, etc.)
  • Digital signature capture with timestamp and IP address
  • No-obligation and no-impact statements included per CMS guidelines
  • PDF generation with all required fields for CMS audit readiness

Permission to Contact (PTC)

  • Explicit consent capture with timestamp and IP address
  • Consent recorded separately from other form submissions
  • CAN-SPAM compliant with unsubscribe management

48-Hour Rule

  • Acknowledgment checkbox for the CMS 48-hour waiting period requirement
  • Timestamp recorded for compliance verification

9. Audit Trail Contents

Every signed document includes a dedicated audit trail page appended to the PDF. The audit trail page contains the following information:

Document Information

Document ID, document name, original document hash (SHA-256), signed document hash (SHA-256)

Signer Information

Full name, email address, signature hash (SHA-256)

Signing Event

ISO 8601 timestamp, IP address, user agent, device information (platform, screen resolution), geographic location (city, region, country)

Verification

Identity verification method (Email OTP / Not Required), e-consent timestamp

Integrity Notice

Statement that the document was electronically signed via EnrollSure™, with instructions for hash-based tamper verification

In addition to the embedded PDF audit trail, all signing event data is stored in the EnrollSure™ database with comprehensive audit logging. The database retains a full record of every action taken during the signing process, including document access, field completion, and submission events.

10. Data Retention

Signed documents, audit trails, and associated compliance records are retained for the duration required by CMS regulations and applicable state and federal laws. Beneficiary submission data, including SOA PDFs, client summaries, and document signing records, are maintained for the lifetime of the agent's active account. Audit logs are retained indefinitely for compliance and dispute resolution purposes. Upon account deletion, data is permanently removed from active systems in accordance with our data retention policy.

11. Contact Information

For questions about our compliance practices, security controls, or to request a Business Associate Agreement (BAA), please contact us:

Email: compliance@enrollsure.io
Website: https://enrollsure.io
Address: 113 GA Hwy 94 E #10, Statenville, GA 31648