Trust & Security
MarketLink Trust Center
We handle sensitive health and financial information for thousands of consumers and brokers. This page documents our security practices, compliance posture, and commitments to protecting your data.
Compliance & Certifications
Marketplace Enrollment Safeguards
In ProgressMarketLink is designed to support Marketplace enrollment workflows while protecting consumer information under applicable privacy and security requirements.
HIPAA Alignment
MappedControls are mapped to HIPAA Privacy and Security Rule expectations for protected health information (PHI) processed through the platform. Formal review materials are maintained separately from this public page.
Identity and Access Controls
MappedIdentity proofing, authentication, session management, and broker access controls are mapped to federal identity and security guidance.
AES-256 Encryption
ActiveAll data at rest is encrypted using AES-256. All data in transit uses TLS 1.3. Social Security Numbers and other sensitive identifiers receive additional field-level encryption.
SOC 2 Type II Framework
In ProgressOur infrastructure and processes are designed against the SOC 2 Type II framework (Trust Services Criteria: Security, Availability, Confidentiality). Formal audit engagement in progress.
PCI DSS
N/AMarketLink does not store, process, or transmit payment card data. Premium payments are handled directly by insurance carriers.
Security Practices
Access Controls
Role-based access control (RBAC) with least-privilege principles. All broker accounts require multi-factor authentication. Administrative access is tightly restricted and logged.
Audit Logging
Every access to personally identifiable information (PII) is logged with user identity, timestamp, and IP address. Logs are retained according to applicable Marketplace program requirements and are tamper-evident.
Vulnerability Management
Regular automated vulnerability scanning, annual third-party penetration testing, and a responsible disclosure policy. Critical patches are applied within 24 hours.
Incident Response
A documented incident response plan aligned with NIST SP 800-61. In the event of a data breach, affected individuals will be notified within 72 hours in accordance with applicable state breach notification laws.
Vendor Management
All vendors with access to PII/PHI are vetted for security practices and bound by Data Processing Agreements or Business Associate Agreements. Vendor access is reviewed quarterly.
Data Minimization
We collect only the information necessary to determine coverage eligibility and facilitate enrollment. We do not collect or store biometric data, device fingerprints, or behavioral tracking beyond what is required for session security.
Marketplace Regulatory Context
MarketLink aligns its Marketplace enrollment, privacy, and security practices to the federal standards that apply to web-brokers and the handling of personally identifiable information:
- 45 CFR § 155.220 — Standards for agents, brokers, and web-brokers assisting with enrollment;
- 45 CFR § 155.260 — Privacy and security standards for personally identifiable information;
- 45 CFR § 155.400–155.430 — Enrollment standards and special enrollment period verification;
- NIST SP 800-63-3 — Digital Identity Guidelines for identity proofing and authentication;
- HIPAA Privacy & Security Rules — 45 CFR Parts 160 and 164.
Submit a Privacy Request
To exercise your privacy rights (access, correction, deletion, data portability), submit a request below or email privacy@marketlink.ai.
We will respond within 45 days. Identity verification may be required.
Security Contact
To report a security vulnerability or data breach, contact our Security team immediately. We take all reports seriously and will respond within 24 hours.