Compliance
Marrow is built for regulated industries. Here is how we handle data, privacy, and compliance.
Data handling
No PII storage
Marrow is stateless by design. Risk data submitted through the API or MCP server is forwarded to the insurer, used to generate quotes, and then discarded. We never write end-user PII to disk, databases, or logs.
Data flow
At no point does Marrow persist personal information. API logs retain metadata (timestamps, quote IDs, insurer names) but not the request body.
Encryption
- All traffic is TLS 1.3 encrypted in transit
- Temporary in-memory processing only - no at-rest PII storage
Regulatory
GDPR and CCPA
Because we do not persist PII, Marrow minimises your exposure under both GDPR and CCPA. We act as a data processor under GDPR, and our Data Processing Agreement (DPA) is available on request.
You are still responsible for obtaining appropriate consent from your end-users before submitting their data for insurance quotes.
AI-specific considerations
No hallucinated quotes
Marrow returns only real quotes from licensed insurers. The structured tool interface prevents LLMs from inventing coverage terms or pricing. Every number in a Marrow response comes directly from an insurer API.
Audit trail
Every quote and bind event has a unique ID and timestamp. You can reconstruct the full decision trail - what was requested, which insurers responded, and what was bound - using the API alone.
Human-in-the-loop
For high-value policies or unusual risk profiles, insurers may return "bindable": false and require manual underwriting review. Marrow surfaces this clearly so your agent can set the right expectations with the end-user.
Questions?
If you have compliance questions not covered here, contact compliance@trymalcolm.com.