Network
Environment Fully Isolated
All traffic is routed through private networks with defense-in-depth controls.
🇺🇸
All Data Resides in the United States
Region: us-central1 (Council Bluffs, Iowa)
Policyholder PII
Claims data
Model inputs/outputs
Audit logs
No data replication outside US jurisdiction. Compliant with state insurance data residency requirements.
VPC Network
production-vpc
- Subnet Range
- 10.0.0.0/20
- Region
- us-central1
- Private Google Access
- Enabled
- Flow Logs
- Enabled
HA VPN Gateway
production-vpn-gw
- Protocol
- IKEv2
- Peer IP
- 203.0.113.1
- Tunnel 0
- Established
- Tunnel 1
- Established
Cloud Armor / WAF
production-waf-policy
Rate Limiting
1,000 req/min per IP
Geo-blocking
Block high-risk regions
OWASP Top 10
SQL injection, XSS, LFI protection
Bot Detection
reCAPTCHA Enterprise integration
IP Allowlist
Admin access restricted to VPN ranges
Private Service Connect
No public endpoints
Cloud SQL
Connected via private IP (10.0.1.3) — no public IP assigned
Secret Manager
Accessed via VPC Service Controls perimeter
Cloud Storage
Accessed via Private Google Access — no internet egress
Firewall Rules
62 rules configured
Default deny ingress from 0.0.0.0/0
Internal traffic allowed (10.0.0.0/20)
GCP health check ranges whitelisted
SSH restricted to IAP ranges (35.235.240.0/20)