Building Insurely: InsurTech Platform from Zero to VAPT Certified

The Problem

Insurely was operating a traditional insurance business with a fully manual process. Policy issuance required 3–5 days of back-and-forth paperwork. Claims took 45 days on average. KYC was done manually with physical document collection. The business was growing, but the operations could not scale.

They came to us with a clear goal: build a digital insurance platform that could issue policies instantly, automate claims processing, and pass a VAPT (Vulnerability Assessment and Penetration Testing) audit — a requirement for their regulatory compliance.

Architecture Decisions

The stack: Next.js for the frontend, Node.js for the backend API, PostgreSQL for the primary database, and AWS for infrastructure. Razorpay for payment processing. We chose PostgreSQL over a NoSQL option specifically because insurance data requires strong consistency and complex relational queries — policy-to-claim relationships, audit trails, and financial reconciliation all benefit from a relational model.

For the KYC flow, we integrated with a third-party KYC provider via API. The integration needed to be fast — our target was KYC completion in under 3 minutes — and resilient, with proper retry logic and fallback handling for API failures.

The KYC Flow

The KYC flow was the most technically complex part of the build. A user submits their Aadhaar or PAN details, we call the KYC provider API, receive a verification result, and either proceed to policy issuance or flag for manual review — all in real time.

We built a state machine to manage the KYC flow: pending, in-progress, verified, failed, manual-review. Each state transition was logged to an immutable audit trail in PostgreSQL. This audit trail was critical for the VAPT certification — auditors needed to see that every KYC decision was traceable.

The result: KYC completion in under 3 minutes for 94% of users. The remaining 6% went to manual review, down from 100% previously.

Instant Policy Issuance

Once KYC was verified, policy issuance needed to be instant. We built a policy generation engine that created a PDF policy document, stored it in AWS S3, and sent it to the customer via email — all within seconds of payment confirmation.

Razorpay webhooks triggered the policy issuance flow. We used idempotency keys to ensure that even if a webhook was delivered multiple times (which Razorpay does for reliability), the policy was only issued once. This was a subtle but critical detail — duplicate policy issuance would have been a serious compliance issue.

Claims Automation

The claims flow was redesigned from scratch. Instead of a paper form, customers submitted claims through a digital portal with document uploads. The system automatically validated the claim against the policy terms, calculated the eligible amount, and routed it to the appropriate approver based on claim size.

Claims under a threshold were auto-approved and processed within 24 hours. Larger claims went to a human reviewer with all relevant data pre-populated. Average claims processing time dropped from 45 days to 12 days.

Security & VAPT Certification

VAPT certification was a hard requirement. We built security in from day one rather than retrofitting it at the end. All data at rest was encrypted with AES-256. All data in transit used TLS 1.3. We implemented rate limiting on all API endpoints, input validation at every layer, and SQL injection prevention via parameterized queries throughout.

We engaged a VAPT auditor in month 4, before the final month of development. This gave us time to address any findings before launch. The audit identified 3 medium-severity issues — all related to session management edge cases — which we resolved within a week. The platform passed VAPT certification before go-live.

Results

• ✓ Policy issuance: 3–5 days → under 3 minutes
• ✓ Claims processing: 45 days → 12 days average
• ✓ KYC completion: 94% under 3 minutes
• ✓ AES-256 encryption + VAPT certified
• ✓ Delivered in 5 months, on schedule

What We Learned

InsurTech is one of the most technically demanding verticals we work in. The combination of real-time KYC, payment processing, document generation, and regulatory compliance requirements means there is very little room for shortcuts.

The key lesson: engage your compliance auditor early. We brought in the VAPT team in month 4 of a 5-month project. That one-month buffer to address findings was essential. If we had waited until after launch, we would have been in a difficult position.

Insurely is now processing policies and claims at a scale that would have been impossible with their previous manual process. It is one of the projects we are most proud of.