Agencies share their book with us via direct AMS API, Zapier, or CSV export. We use it for exactly one purpose: scoring the book for monoline households, upcoming renewals, and coverage gaps, generating the Book X-Ray report, and running campaigns the agency approves.
Each agency's data is logically isolated. It is never mixed with or visible to any other agency.
The data we access
We access the fields needed to score and work the book:
Client and household contact info
Policy details (line, carrier, premium, effective and expiration dates, status)
Activity recency
We do not request or store SSNs, driver's license numbers, bank or card details, claims files, or health information. If a CSV contains those fields, they are dropped at import.
Where it lives
PostgreSQL on Railway in US data centers
Private object storage on Railway (book uploads; no public access)
Site on Netlify
Campaign execution in the agency's own GoHighLevel sub-account
We use TLS 1.2+ in transit and AES-256 at rest. Secrets live in managed storage, never in code. Backups are encrypted and rolling.
Who can touch it
Least privilege, named team members only
MFA on all admin accounts
Access revoked the same day a role changes
No offshore contractors with production database access
Subprocessors
Mach 5 Agent subprocessors and what they handle
Vendor
Role
Railway
App hosting, Postgres, and private book-file storage (US)
Netlify
Site and report hosting
GoHighLevel
CRM and campaign execution in the agency's own sub-account
Anthropic
AI analysis via API (API data is not used to train models)
Thinkr AI
Voice AI for calls
Google Workspace
Internal email and files
How we contact your clients
Outreach targets the agency's existing and former clients (established business relationship)
Consent is captured at onboarding
Opt-outs are honored immediately across call, text, and email
Call recording disclosure where required
Quiet hours are enforced
We do not use ringless voicemail, anywhere, ever
Retention and deletion
Data is retained only while the agency is active. After cancellation or a written request, we purge it from production and backups within 30 days. Deletion is confirmed in writing. An export of the agency's own data is available before deletion.
If something goes wrong
Affected agencies are notified within 72 hours with what happened, what data was involved, and remediation.
Questions, questionnaires, or data requests
Email info@mach5agent.com for security questionnaires, vulnerability reports, or data requests. We respond within one business day.
Mach 5 Agent is built and operated by the team behind Burch Insurance Group, an active independent P&C brokerage. Everything runs on our own book first.