Cert expiry on a policy-submission relay can be a reportable cybersecurity event under the NAIC Insurance Data Security Model Law.
30+ states have adopted it. State DOI must be notified within 72 hours when 250-500 consumers' data is affected.
Insurance agencies building client portals, ACORD form submission relays, and state DOI producer-licensing endpoints for P&C, life, health, and specialty insurance carriers and producer/brokerage operations deal with NAIC Insurance Data Security Model Law (now adopted by 30+ states) cybersecurity-event reporting to state DOI within 72 hours when consumer data is affected by cert expiry, ACORD form submission cert chain dependencies breaking policy submissions to carrier intake APIs (Travelers, Hartford, Liberty Mutual, Chubb, AIG, etc. — each with its own approved-CA list), and state DOI producer- licensing portal cert dependencies (CA DOI, NY DFS, FL OIR, TX TDI) breaking license renewals and CE-credit submissions during February-March peak renewal cycles. Merlonix monitors every insurance-attached subdomain so the NAIC + DOI + carrier-API exposure surfaces 30 days before the failure window opens.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where insurance agencies get caught out
Three failure modes where SSL expiry creates NAIC Insurance Data Security Model Law 72-hour DOI reporting exposure, ACORD form submission rejections at carrier intake APIs, and state DOI producer-licensing portal cert chain failures during peak renewal cycles.
Insurance agencies building client portals, ACORD form submission relays, and state DOI producer-licensing endpoints for P&C, life, health, and specialty insurance carriers + producer/brokerage operations deal with NAIC Insurance Data Security Model Law (now adopted in 30+ states including NY DFS Part 500, OH, MI, IN, WI, KY, MN, NC, VA) cybersecurity-event reporting to the state DOI within 72 hours when consumer data is affected, ACORD form submission cert chain dependencies where each carrier (Travelers, Hartford, Liberty Mutual, Chubb specialty, AIG specialty, Berkshire Hathaway Specialty) has its own approved-CA list and silently rejects submissions with off-list chains, and state DOI producer-licensing portal cert dependencies (CA CDI, NY DFS, FL OIR, TX TDI, NJ DOBI each with their own legacy approved-CA lists) breaking license renewals and CE-credit submissions during the February-March peak renewal cycle.
The NAIC Insurance Data Security Model Law was adopted by the National Association of Insurance Commissioners in 2017, modeled on NY DFS Part 500 (23 NYCRR 500, effective March 2017). 30+ states have enacted it including SC, AL, MS, OH, MI, CT, NH, DE, IN, LA, MN, NC, ND, WI, VT, KY, ME, IA, TN, VA, AK, HI. The model law requires licensees (carriers, producers, brokerages) to maintain a documented information security program with "reasonable" cybersecurity controls including encryption-in-transit of nonpublic information. Section 6 requires notification of the state DOI within 72 hours of determining a "cybersecurity event" affects 250+ consumers (NY DFS uses 500; states vary). A "cybersecurity event" is defined as "an event resulting in unauthorized access to, disruption or misuse of, an information system or information stored on such information system." Cert expiry that results in nonpublic consumer information transmitting over an unencrypted connection meets the unauthorized-access prong of the definition in many state-level interpretations
An insurance agency operates the policy-submission relay (submit.brokerageops.com) for a multi-line P&C and life brokerage with 80 producers and 12,000 active personal-lines + commercial-lines policyholders across 8 states. The cert on submit.brokerageops.com expires over a 4-day weekend. During the window, producers continue submitting new-business apps and endorsements through the relay; the relay's back-end aggregator processes the submissions and dispatches to carrier intake APIs. Producer apps contain nonpublic information (driver license numbers, dates of birth, SSNs for credit checks). The brokerage operates in 7 NAIC-Model-Law states and 1 non-Model-Law state. Discovery happens Monday when a carrier reports back-end submission failures. Outside insurance counsel performs the 72-hour reporting analysis: the cert-expired window affected ~340 submissions; ~280 of those contained nonpublic information on consumers in NAIC-Model-Law states; the 250-consumer threshold is exceeded in 3 of those states
An insurance agency operates BrokerageOps, the policy-submission infrastructure for Midwestern Insurance Partners, a multi-line P&C and life brokerage with 80 producers and 12,000 active policyholders. The brokerage operates in 8 states: OH, MI, IN, IL, WI, KY, MN, ND. Of those, 7 are NAIC Model Law states; IL is the only non-Model-Law state (as of the 2025 enactment cycle). The policy-submission relay is hosted at submit.midwesterninsurancepartners.com. The cert is provisioned via Let's Encrypt with a 90-day cycle. The agency's LE renewal automation depends on a DNS-01 challenge with the brokerage's DNS provider; the DNS provider rotated their API credential six weeks ago as part of a security upgrade; the agency's automation still uses the previous credential. The previous cert is still valid for another 30 days; the renewal failure doesn't cause a visible event. The cert expires Friday at 11:58 PM ET — entering a 4-day Memorial Day weekend (Saturday + Sunday + Monday memorial-day holiday + Tuesday morning before discovery). During the 4-day window: producers continue submitting new-business apps and endorsements via the relay (producer agent-portal calls submit.midwesterninsurancepartners.com; the API returns 200 OK or fails depending on browser/client cert handling). Modern producer agent-portal apps use strict TLS; many fail the connection entirely and queue submissions locally for retry. About 340 submissions are queued or partially-completed during the window. Some submissions contain a producer-portal client-side app that transmits nonpublic information (driver license number, DOB, full SSN for credit checks on auto + life) over the expired cert connection — the user-agent treats the cert error as a connection-failure but TCP-level traffic still flowed before the connection was torn down, and proxy intermediates may have logged the request. Discovery happens Tuesday morning when a carrier (Travelers personal-lines intake) reports back-end submission failures; the agency engineer triages and identifies the cert expiry. Cert is renewed by 11 AM Tuesday. The brokerage's compliance officer is engaged; outside insurance counsel from the brokerage's E&O law firm performs the 72-hour reporting analysis. Analysis: of the 340 submissions during the cert-expired window, ~280 contain nonpublic information per the NAIC Model Law definition (DLN, DOB, SSN; financial information for commercial-lines apps with workers' comp; medical-history disclosures for life-insurance apps). The 250-consumer threshold under NAIC Model Law §6 (varies by state — OH uses 250, MI uses 250, IN uses 250, WI uses 250) is exceeded in OH (88 consumers), MI (52), IN (44), KY (39). The brokerage must notify the DOI in each affected state within 72 hours of determining the event affects 250+ consumers — but each state determines the count separately; aggregation across states doesn't apply. Of the four states, only OH (88) is below the 250 individual-state threshold. Wait — re-analysis: most state Model Law adoptions count "consumers of the licensee" not "consumers in the state." NAIC Model Law §6(B)(1) actually triggers at 250 affected consumers of the licensee regardless of geographic distribution. So the threshold is met. The brokerage must notify the OH DOI, MI DIFS, IN DOI, KY DOI (and any other DOI where the brokerage holds a license, even if not specifically affected, per several state interpretations). Each DOI notification triggers a state-level investigation that may result in enforcement action; the typical resolution is a Consent Order with a $50K-$500K penalty depending on remediation. The agency's engagement contract with the brokerage includes a cybersecurity SLA + indemnity per the brokerage's E&O policy requirements; the indemnity is triggered for the DOI penalties and outside-counsel fees. The agency's E&O policy is triggered. Reputation exposure with the brokerage and the brokerage's peer network of regional brokerages is significant — the NAIC Model Law adoption cycle is recent enough that other brokerages are watching enforcement actions to calibrate their own compliance programs.
ACORD (Association for Cooperative Operations Research and Development) defines the standard data format for P&C policy submissions to carriers. ACORD forms (auto: 90, 91; home: 80, 81; commercial: 125, 126, 127, 130, 140) are submitted to carrier intake APIs as ACORD-formatted XML over HTTPS. Carriers (Travelers, Hartford, Liberty Mutual, Chubb, AIG, Berkshire Hathaway Specialty, Argo, RLI, Sentry, Cincinnati Insurance, Erie, Auto-Owners, Donegal, etc.) each have their own intake API at their own endpoint with their own approved-CA list. Some carriers (Travelers, Hartford, Liberty Mutual) accept Let's Encrypt-chained certs; some carriers (Chubb, AIG specialty lines) require Entrust-chained or DigiCert-chained certs only; some carriers (Berkshire Hathaway Specialty, Argo) have legacy lists from 2018 portal redesigns that don't accept newer CA roots. When the agency's submission relay cert renews and issues a chain not on a particular carrier's accepted list, ACORD submissions to that carrier silently reject — the carrier intake API returns HTTP 403 or HTTP 502 with a generic "TLS handshake failed" message; the agency's submission code logs the failure but the producer-facing UI shows "submission queued for retry" indefinitely
An insurance agency operates the ACORD submission relay for a brokerage handling commercial-lines accounts across 12 carriers including Chubb specialty, AIG specialty, and Berkshire Hathaway Specialty. The cert on acord.brokerageops.com renews from a Let's Encrypt chain to a different intermediate cert. Travelers and Hartford continue accepting. Chubb specialty rejects (Entrust-only). AIG specialty rejects (DigiCert-only with a specific intermediate). Berkshire Hathaway Specialty rejects (legacy 2018 portal redesign). The agency engineer doesn't notice because Travelers and Hartford account for 70% of submission volume; the other 30% queues with "submission queued for retry" status. After 14 days, the brokerage's commercial-lines director notices delayed bind notices on three high-value renewals at Chubb specialty. The bind notice deadline has passed for one of them; the policy is non-renewed; the brokerage's client loses coverage
An insurance agency operates the ACORD submission relay for Commercial-Lines Brokerage Partners, a brokerage handling mid-market commercial-lines accounts ($50M-$500M in annual premium) across 12 carriers. The carrier mix: Travelers (primary general liability), Hartford (workers' comp), Liberty Mutual (commercial property), Chubb specialty (D&O + cyber), AIG specialty (E&O for professional services clients), Berkshire Hathaway Specialty (excess casualty), Argo Group (energy + manufacturing), RLI (executive products), Cincinnati Insurance (mid-market multi-line), Erie (NJ + PA), Auto-Owners (Midwest auto + workers' comp), Donegal (commercial auto in PA + neighboring states). The ACORD submission relay is at acord.commerciallinesbrokerage.com. The cert on this domain renews via Let's Encrypt; the new cert chains through ISRG Root X1 → ISRG Root X2 (the new dual-key chain LE deployed in 2024). Travelers and Hartford's intake APIs accept this chain (they updated their approved-CA lists in 2024). Liberty Mutual accepts. Chubb specialty rejects because Chubb's D&O + cyber intake API was migrated to a new portal in 2019 with a hard-coded approved-CA list of Entrust + DigiCert + GlobalSign — Let's Encrypt was never added because Chubb's specialty-lines IT prefers commercial CAs. AIG specialty rejects because their E&O intake API has an even more restrictive list (DigiCert only with a specific intermediate cert). Berkshire Hathaway Specialty rejects because their excess casualty intake API is a 2018 portal redesign artifact that does cert chain validation against a static trust anchor at a specific Entrust intermediate. Argo, RLI, Cincinnati, Erie, Auto-Owners, Donegal all accept. The agency's submission code logs each TLS handshake failure but the producer-facing UI shows "Submission queued for retry — carrier intake reporting transient unavailability." The "queued for retry" UI has been present since the platform launched; producers are accustomed to seeing it briefly during normal operations. The agency engineer doesn't alert on the persistent retry queue for the three affected carriers because Travelers/Hartford/Liberty Mutual/etc. account for ~70% of submission volume and the dashboard health metrics look fine. The producers for the three affected carriers (Chubb specialty, AIG specialty, Berkshire Hathaway Specialty) are concentrated among 6 senior producers handling high-value mid-market accounts. Bind notices for these accounts have a contractual deadline (usually 5-7 business days from quote acceptance). Over 14 days post-cert-renewal, three high-value renewals at Chubb specialty miss their bind-notice deadlines: a D&O renewal for a healthcare-services client ($2.4M annual premium), a cyber renewal for a software client ($800K premium), an excess casualty renewal at Berkshire Hathaway Specialty for an oil-services client ($1.2M premium). For one of these (the cyber renewal), the bind-notice deadline was a hard cutoff — the policy effective date passes without a new policy binding; the client is non-renewed at the existing terms; coverage lapses; the broker scrambles to place coverage elsewhere at a higher premium (~$200K more) plus uncovered-period exposure. The brokerage's commercial-lines director engages the agency in an emergency call. Investigation traces the failures to the cert chain change. Resolution requires obtaining new certs from Entrust + DigiCert for the affected carriers' intake APIs, installing alongside the LE cert in a SNI-based config. The agency's engagement contract with the brokerage includes cybersecurity SLAs and bind-deadline SLAs with indemnity; the indemnity is triggered for the uncovered-period exposure and the increased-premium delta on the cyber renewal placement. The agency's E&O policy is triggered.
Each state DOI runs its own producer-licensing portal with its own cert chain requirements. CA DOI (CDI), NY DFS, FL OIR, TX TDI, GA OCI, IL DOI, OH DOI, MI DIFS, PA Insurance Department, NJ DOBI — each portal has been built and maintained independently by state IT teams with different cert chain validation approaches. Producer license renewals and continuing-education credit submissions flow through these portals. Renewal cycles concentrate in February-March for most state-DOI cycles (annual renewals due before March 31 for many states; biennial renewals concentrate in the same window). When the agency's submission relay cert renewal issues a chain not on a particular state DOI's accepted list, producer license renewals to that state silently fail; CE credit submissions silently fail. Producers don't notice because the agency's submission UI shows "Submitted to DOI — pending state acknowledgment." The state DOI's acknowledgment cycle is typically 24-72 hours during normal periods, 5-10 days during peak renewal season
An insurance agency operates the producer-licensing submission relay for a brokerage with 80 producers licensed across CA, NY, FL, TX, GA, IL, OH, MI, PA, NJ. The cert on dol.brokerageops.com renews to a Let's Encrypt chain. CA CDI accepts. NY DFS accepts. FL OIR rejects (legacy approved-CA list from a 2017 portal redesign). TX TDI rejects (the portal validates against a specific Entrust intermediate). NJ DOBI rejects (the portal's cert validation is on a vendor-managed third-party that hasn't updated its trust store since 2022). Producer renewals to FL, TX, NJ silently fail during the late-February peak. By the March 31 deadline, 18 producers across the three states are technically unlicensed; the brokerage's production in those states stops; some carriers refuse to bind new business through unlicensed producers
An insurance agency operates the producer-licensing submission relay (dol.brokerageops.com) for Multi-State Insurance Brokerage, a brokerage with 80 producers licensed across 10 states (CA, NY, FL, TX, GA, IL, OH, MI, PA, NJ). The relay handles annual license renewals (most states use March 31 as the renewal deadline, with some states staggering: CA uses producer birth-month-based renewals), CE credit submissions (most states require 24 hours of CE biennially with a March 31 sweep deadline), and license-status updates (address changes, line-of-authority additions). The cert on dol.brokerageops.com is provisioned via Let's Encrypt with a 90-day cycle. The cert renews on February 14 — at the peak of the February-March renewal cycle. The new cert chains through ISRG Root X1. CA CDI accepts the new chain (CA CDI's portal was modernized in 2023 and accepts Let's Encrypt). NY DFS accepts (NY DFS uses an updated trust anchor as part of the 2023 NYCRR Part 500 cybersecurity-program updates). FL OIR rejects: FL OIR's portal is a 2017 redesign artifact with a hard-coded approved-CA list of Entrust + Sectigo + DigiCert; the FL OIR IT team has flagged the list for update but the update is on the FL IT department's FY26 roadmap. TX TDI rejects: the TDI portal's cert chain validation is performed against a specific Entrust intermediate that LE doesn't chain through. NJ DOBI rejects: NJ DOBI's portal cert validation is performed by a vendor-managed third-party (Tyler Technologies) whose trust store hasn't been updated since 2022; LE's ISRG Root X1 was added to mainstream OS trust stores in 2017 but not to Tyler Technologies' embedded validation library. The agency's submission code logs each TLS handshake failure but the producer-facing UI shows "Submitted to DOI — pending state acknowledgment." The state DOI acknowledgment cycle is typically 24-72 hours during normal periods, 5-10 days during the February-March peak. Producers see "pending state acknowledgment" and assume their renewal is in queue. The agency's monitoring dashboard shows aggregate submission counts as healthy because CA + NY + IL + OH + MI + PA submissions all succeed; the three affected states represent 18 producers (FL: 7, TX: 8, NJ: 3). Discovery happens around March 20 when a FL producer attempts to bind a new commercial-lines policy and the carrier (Travelers) rejects the bind because the FL DOI shows the producer's license as "renewal pending — not received." The producer escalates to the brokerage's licensing manager; the licensing manager pulls up the FL DOI dashboard and sees no record of the renewal submission. The licensing manager contacts the agency; the agency engineer investigates and identifies the cert chain rejection. Resolution requires obtaining new certs from one of FL OIR's approved CAs (Sectigo) + TX TDI's approved CA (Entrust) + working with NJ DOBI's vendor to whitelist the LE chain (the vendor's response time is 5-10 business days). For the 18 affected producers, the March 31 deadline is 11 days away. Re-submission requires manual re-keying of renewal applications (the previous queued submissions are unrecoverable from the relay; they didn't complete). The licensing manager and producer-services team work overtime to re-key 18 renewals plus the associated CE credit submissions. 14 of the 18 are completed before March 31; 4 producers (3 in NJ, 1 in TX with a complex line-of-authority addition that requires additional fingerprinting) miss the deadline. For 4 producers technically unlicensed past March 31: carriers refuse to bind new business through them; the brokerage's production in those states stops for the 4 producers; some carriers (Travelers, Hartford) also refuse to process endorsements on existing policies signed by the now-unlicensed producers, requiring temporary reassignment. The brokerage's revenue impact during the 7-21 day unlicensed-period for the 4 producers: $400K in lost new-business commission + $80K in endorsement processing delays. The agency's engagement contract includes cybersecurity SLAs + licensing-deadline SLAs with indemnity; the indemnity is triggered.
How it works
SSL and DNS monitoring for insurance agencies across NAIC Insurance Data Security Model Law scope (30+ state adoptions), ACORD form submission relays (per-carrier chain compatibility), and state DOI producer-licensing endpoints (CA CDI, NY DFS, FL OIR, TX TDI, NJ DOBI with their own legacy approved-CA lists).
Merlonix monitors SSL expiry and DNS integrity across every insurance-attached subdomain — portal.* (client portal), submit.* (policy submission relay), acord.* (ACORD form submission), dol.* (state DOI producer-licensing submission) — and catches cert expiry on NAIC-Model-Law-scope infrastructure before any consumer nonpublic information can transmit over an unencrypted connection and start the 72-hour state DOI reporting clock, before any ACORD submission can be silently rejected by a carrier intake API with an incompatible approved-CA list, and before any state DOI producer-licensing portal can silently reject license renewals during the February-March peak cycle. Each insurance-attached subdomain gets independent monitoring because each one carries independent regulatory exposure.
01
Add every insurance-attached subdomain — portal.*, submit.*, acord.*, dol.*, plus the brokerage's primary marketing domain — with DNS TXT verification that catches cert expiry on NAIC-Model-Law-scope infrastructure 30 days before the 72-hour DOI reporting clock can start
Verify ownership with a DNS TXT record on the apex domain. All insurance-attached subdomains under that apex — portal.* (client portal), submit.* (policy submission relay), acord.* (ACORD form submission), dol.* (state DOI producer-licensing submission), plus the brokerage's primary marketing domain — are added without additional verification. Monitoring every insurance-attached subdomain catches cert expiry on policy-submission infrastructure 30 days before the failure window opens — well before any consumer nonpublic information can transmit over an unencrypted connection and start the 72-hour NAIC-Model-Law DOI reporting clock in 30+ states. Under two minutes per brokerage.
02
Per-carrier cert chain monitoring against the major P&C carriers (Travelers, Hartford, Liberty Mutual, Chubb specialty, AIG specialty, Berkshire Hathaway Specialty) and state DOI producer-licensing portals (CA CDI, NY DFS, FL OIR, TX TDI, NJ DOBI) — surfacing chain compatibility failures the moment a cert renewal happens, not 14 days into a queued-retry queue
Each carrier and state DOI has its own approved-CA list with different update cadences. Merlonix maintains a database of per-carrier and per-DOI chain compatibility, and on every cert renewal at an insurance-attached subdomain, validates the new chain against each downstream consumer's accepted list. When a cert renewal would render an ACORD submission relay incompatible with Chubb specialty (Entrust-only) or a state DOI portal (FL OIR's 2017 approved list), the failure is surfaced immediately — before the producer-facing UI starts showing "Submitted to DOI — pending state acknowledgment" for submissions that will never be acknowledged.
03
SSL monitoring 30 days before expiry across policy submission relays, client portals, and state DOI producer-licensing endpoints — with peak renewal cycle awareness (February-March for most states) so cert renewals are scheduled away from the high-volume window
Full SSL chain validation on every insurance-attached subdomain. Independent checks catch cert expiry 30 days before the failure window opens — enough time to validate the new chain against every downstream carrier intake API and every in-scope state DOI portal, schedule the renewal outside the February-March producer-licensing peak, and coordinate with the brokerage's compliance officer on the 72-hour NAIC-Model-Law reporting posture if the renewal hits any edge cases. The 30-day lead time also covers worst-case Entrust + Sectigo account-opening cycles if the carrier or DOI mix requires a non-LE chain.
04
Vendor status for the major carriers (Travelers, Hartford, Liberty Mutual, Chubb, AIG, Berkshire Hathaway Specialty, Argo, RLI), the state DOI portals, and the major insurance technology vendors (Vertafore AMS360, Applied Epic, EZLynx, HawkSoft) to distinguish vendor-side incidents from per-brokerage SSL configuration failures
Merlonix monitors carrier intake API status, state DOI portal status, and major insurance AMS / rating vendor status alongside the brokerage's cert state — so when a carrier (e.g., Travelers personal-lines intake) has a platform-wide TLS incident, you see the vendor event clearly rather than spending hours investigating whether the brokerage's submit.* subdomain has a per-tenant cert problem. AMS vendor status (Vertafore, Applied, EZLynx, HawkSoft) is monitored because submission relays often integrate via AMS plugins; an AMS-side TLS configuration change can cascade into chain compatibility issues across all carriers.
What the numbers mean for insurance agencies
Monitoring built for insurance agencies where one brokerage portfolio means a client portal (NAIC Model Law NPI-transmission exposure), an ACORD form submission relay (per-carrier intake API chain compatibility exposure across Travelers / Hartford / Liberty Mutual / Chubb specialty / AIG specialty / Berkshire Hathaway Specialty), and a state DOI producer-licensing submission endpoint (per-state approved-CA list exposure across CA / NY / FL / TX / NJ DOIs).
Insurance agencies building client-facing tech for brokerages and producer operations need monitoring that recognizes each insurance-attached subdomain has independent regulatory and operational exposure — because the NAIC-Model-Law-side failure is silent (consumer NPI transmission over an expired cert during a holiday weekend window may not be discovered until carriers report back-end submission failures days later; the 72-hour DOI reporting clock starts from discovery, not from the actual event), the ACORD submission failure is silent (the agency's producer-facing UI shows "Submission queued for retry — carrier intake reporting transient unavailability" for submissions that will never succeed against the affected carrier's intake API), and the state DOI portal failure is silent (producers see "Submitted to DOI — pending state acknowledgment" for renewals that the DOI never received because the cert chain was rejected at the TLS layer).
< 10 min
Time from DNS change to alert — catches CAA tightening introduced during NY DFS Part 500 or NAIC Model Law cybersecurity-program documentation projects, registrar nameserver changes during AMS migrations (Vertafore AMS360 → Applied Epic conversions, etc.), and CNAME modifications on ACORD submission relays
30 days
SSL expiry warning lead time — enough time to validate the new cert chain against every downstream carrier intake API + every in-scope state DOI portal, schedule the renewal outside the February-March producer-licensing peak (when state DOI acknowledgment cycles stretch from 24-72 hours to 5-10 days), and obtain a non-LE cert from Entrust / DigiCert / Sectigo if a carrier or DOI mix requires it
11 vendors
Upstream services monitored — Travelers, Hartford, Liberty Mutual, Chubb, AIG, Berkshire Hathaway Specialty, Argo, plus state DOI portals (CA CDI, NY DFS, FL OIR, TX TDI, NJ DOBI), plus AMS vendors (Vertafore, Applied, EZLynx, HawkSoft). Distinguishes a vendor-side carrier intake or DOI portal incident from a per-brokerage SSL configuration failure
200 assets
Maximum monitored domains on the Agency plan — covers a full insurance-vertical portfolio: 25+ brokerages each with portal.*, submit.*, acord.*, dol.*, and apex subdomains. Multi-state brokerages with separate dol.* subdomains per state (dol.ca.brokerageops.com, dol.ny.brokerageops.com) for licensing-jurisdiction segregation are absorbed without per-domain fees
Pricing
Flat monthly fee. Every insurance-attached subdomain, every ACORD submission relay, every state DOI producer-licensing endpoint included.
No per-brokerage charges. No per-state fees. Pick the tier that fits your insurance-vertical portfolio and monitor every NAIC-Model-Law-scope subdomain (portal.*, submit.*, acord.*, dol.*) under each brokerage's apex without billing surprises.
Starter
For solo insurance-tech developers or two-person agencies operating a single brokerage's client portal, ACORD submission relay, and state DOI submission endpoint under one apex domain.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For insurance agencies managing 3-5 brokerage clients with separate portal.*, submit.*, acord.*, and dol.* subdomains per brokerage, plus the brokerage's primary marketing domain.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full insurance-vertical client roster including multi-state brokerages licensed in 10+ states, commercial-lines brokerages submitting to 12+ carriers (including specialty lines at Chubb / AIG / Berkshire Hathaway Specialty), and Vertafore AMS360 / Applied Epic / EZLynx integration relays.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a policy-submission relay is approaching cert expiry — 30 days before the 72-hour NAIC Model Law DOI reporting clock can start in any of the 30+ states that have adopted it.
Add your first brokerage subdomain in under two minutes. Client portals, ACORD form submission relays, state DOI producer-licensing endpoints, and AMS integration relays across every brokerage in your portfolio are monitored from the same dashboard. 14-day trial, no card required.