Back to home
GLBA Safeguards Rule

ECIW Written Information Security Program (WISP)

ECIW — administrative, technical, and physical safeguards for the protection of Nonpublic Personal Information.

Last Updated: May 2026Document Owner: ECIW Systems, OperatorEffective: Immediately
This document sets out ECIW Systems’ administrative, technical, and physical safeguards for the protection of customer information collected through the ECIW platform, in compliance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 C.F.R. Part 314).
1

Purpose

This Written Information Security Program (WISP) describes how ECIW Systems protects Nonpublic Personal Information (NPI) in compliance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.

2

Scope

This program applies to all electronic and physical information collected through the ECIW platform.

3

Information Security Program Coordinator

ECIW Systems, the operator of the ECIW platform (based in Philadelphia, Pennsylvania, USA), is designated as the Information Security Program Coordinator and is responsible for implementing and maintaining this program.

4

Risk Assessment

We conduct periodic risk assessments to identify reasonably foreseeable threats to customer information, including unauthorized access, use, or disclosure. The formal assessment that informs this program is documented in Section 5 below.

5

Formal Risk Assessment

ECIW Systems maintains a documented risk assessment that identifies reasonably foreseeable internal and external threats to the confidentiality, integrity, and availability of Nonpublic Personal Information (NPI). For each identified threat, ECIW Systems evaluates the likelihood and potential impact, records the controls currently in place to mitigate it, and assesses the residual risk that remains after those controls are applied.

Unauthorized access
Attempt by an unauthenticated party to view, modify, or exfiltrate NPI through the broker dashboard, client share link, or API.
Likelihood: LowImpact: HighResidual: Low
Current controls
  • TLS 1.3 encryption in transit
  • Better Auth password hashing + session cookies
  • Per-form share tokens (single-use scope, 14-day expiry, revocable)
  • Middleware-enforced route protection
Data breach (storage compromise)
Exposure of stored NPI through infrastructure compromise, misconfiguration, or stolen credentials at the storage layer.
Likelihood: LowImpact: HighResidual: Low
Current controls
  • Encryption at rest on managed Cloudflare / Totalum storage
  • Least-privilege service credentials, rotated on schedule
  • Network isolation and provider-side hardening
  • Audit logging of read / write access to sensitive records
Insider threats
Misuse of legitimate access by personnel or contractors, whether intentional or accidental.
Likelihood: LowImpact: ModerateResidual: Low
Current controls
  • Role-based access controls (least privilege by default)
  • Background-checked personnel and signed confidentiality agreements
  • Mandatory onboarding + annual security awareness training
  • Comprehensive audit logging of administrative actions
Third-party / vendor risk
Risk introduced by sub-processors and integrated services (hosting, email delivery, payments, AI providers).
Likelihood: ModerateImpact: ModerateResidual: Low
Current controls
  • Vendor due diligence prior to onboarding
  • Contractual safeguards (DPAs, confidentiality, breach notice)
  • Scoped credentials limited to the data each vendor requires
  • Periodic review of vendor compliance posture and access
Residual risk summary

After application of the administrative, technical, and physical safeguards described in Section 6, ECIW Systems assesses the overall residual risk to NPI as LOW. Residual risk is monitored on an ongoing basis through audit logging, periodic control reviews, vendor reassessment, and a full reassessment of identified threats at least annually or whenever a material change to the business or technology occurs.

6

Security Safeguards

ECIW Systems maintains a layered set of safeguards designed to protect customer information:

  • Administrative: Role-based access controls, background-checked personnel, mandatory security training.
  • Technical: Encryption in transit (TLS 1.3) and at rest, secure authentication, automatic session timeouts, input validation, and logging of access to sensitive data.
  • Physical: All data is hosted on secure Cloudflare infrastructure with industry-standard physical controls.
7

Employee Training

All personnel receive security awareness training upon hire and annually thereafter.

8

Vendor Management

Third-party service providers are contractually required to maintain appropriate safeguards and are reviewed periodically.

9

Incident Response Plan

In the event of a data breach, we will investigate, contain, notify affected parties and regulators as required by law, and document all steps taken. The full Incident Response Plan — including roles, detection & reporting, containment, eradication and recovery steps, 72-hour state insurance commissioner notification procedures, and post-incident review — is published separately and is kept aligned with this WISP.

Read the full Incident Response Plan →

10

Program Review & Updates

This WISP is reviewed and updated at least annually or whenever material changes occur to our business or technology.

ECIW is committed to protecting the confidentiality and security of the information you entrust to us.

Issued by
ECIW
A product of Efficient Client Intake Workflow Systems
Information Security Program Coordinator
Philadelphia, PA, USA
Contact
[email protected]
Questions about this WISP, requests to review it, or incident reports may be sent to the address above.
ECIW Systems
Efficient Client Intake Workflow Systems
Philadelphia, PA, USA