H$
Hardline
Software · Not a lender
Pre-launch draft — pending licensed attorney review.
These documents are working drafts based on research synthesis. Hardline has not yet recorded counsel sign-off or verified final entity status in this codebase. Do not rely on these documents for live paid lending activity until counsel review, entity verification, effective dates, and archived document hashes are complete.

Insurance Specification — Broker Submission

Coverage specification prepared by Hardline Lending, Inc. for distribution to insurance brokers (Coalition, At-Bay, Resilience, Embroker, Marsh, Aon, Lockton, Newfront, Vouch, or comparable).

Version 1.0-draft · Last updated: 2026-05-10 · Effective: Submission package — for binding pre-launch

Plain English summary.This is the spec Hardline gives an insurance broker before binding pre-launch coverage. It explains the business (software-only marketplace, no fund custody), the top five risks we’re trying to insure against (cyber breach, regulatory inquiry, wire-fraud-by-impersonation, vendor failure, D&O exposure), the lines we want with limits and retentions, the exclusions we’ll fight to narrow, and the endorsements we expect to see. It also lays out claim-notice procedures so we don’t blow our coverage by waiting too long. It’s a procurement document, not a policy. The broker is required to deliver a redlined comparison of any bound policy against this spec before binding. The detailed terms below control if there’s any conflict with this summary.

1.Business Overview (For Underwriter)

Hardline Lending, Inc. is the planned operating company (entity status pending confirmation) operating an online marketplace at hardlinelending.com that connects accredited private real-estate lenders with sponsors seeking business-purpose loans secured by non-owner-occupied real property (fix-and-flip, bridge, ground-up construction, DSCR rental, value-add multifamily). Hardline is a software platform only: Hardline does not originate, underwrite, fund, broker, escrow, service, or hold any borrower or lender money. All money movement occurs off-platform via wire between counterparties.

Technology stack: Next.js 14 (Vercel hosting), Supabase Postgres (us-east-1), Supabase Auth, Stripe (subscription billing, identity verification), Resend (transactional email), Cloudflare (CDN/WAF), Sentry (error monitoring). No payment-card data stored; Stripe is PCI-scope only. No biometrics retained by Hardline. Headcount: founder-only at submission, 2-4 contractors and 1-2 employees by year-end. No prior insurance claims, no current litigation, no current regulatory investigation. Hardline maintains a full legal suite (Terms, Privacy, WISP, Incident Response Plan, Risk Disclosure, Architecture Memo, State Licensing Memo) at hardlinelending.com/legal.

2.Top 5 Risks

  • Cyber breach of user PII or document store. Supabase database compromise, S3 document-store leakage, or stolen developer credentials. State breach-notification statutes in 54 jurisdictions plus federal FTC Act §5 plus CCPA §1798.150 ($100–$750 per consumer per incident). Loss: $250K–$2M.
  • Regulatory inquiry or enforcement. DFPI inquiry letter, FTC CID, state AG inquiry alleging unlicensed mortgage brokering, deceptive disclosures, or unfair marketing. Defense costs $100K–$500K even without adverse ruling. Penalties $25K–$1M+.
  • Wire fraud / social engineering of users. Threat actor compromises user email and inserts altered wire instructions; user wires to attacker. Hardline liability theory: failure to warn, failure to detect. Defense cost $100K+. Loss $50K–$500K plus reputational damage.
  • Vendor failure / supply-chain attack. Supabase, Vercel, Stripe, or Resend breach. Hardline may be primary respondent as data controller.
  • D&O exposure. Founder/CEO and future directors face derivative-suit exposure (failure of oversight under Marchand / Caremark), regulatory-officer-liability exposure, and shareholder-suit exposure post-financing. Defense costs $250K–$5M+ for material matters.

3.Required Policy Lines, Limits, Retentions

3.1Cyber Liability (First-Party + Third-Party).

Limits: $2,000,000 each claim / $2,000,000 aggregate. Retention: $50,000. Trigger: Claims-made-and-reported, full prior-acts back to Hardline’s incorporation.

Required sublimits:

  • Breach response costs (legal, forensics, notification, credit monitoring, PR): $1,000,000 sublimit.
  • Regulatory defense and fines/penalties: $1,000,000 sublimit; must include FTC, CFPB, AG, DFPI, state-privacy-regulator actions; insurable CCPA statutory damages.
  • Business interruption: $500,000 sublimit, 8-hour waiting period; dependent-BI for Supabase, Vercel, Stripe, Cloudflare, Resend.
  • Cyber extortion / ransomware: $1,000,000 sublimit, affirmative coverage, no co-insurance.
  • Social engineering / cyber crime: $500,000 sublimit (Hardline preference; $250K minimum).
  • Funds-transfer fraud: $250,000 sublimit.
  • Reputational harm / income loss: $250,000 sublimit.
  • System failure (errors causing outage): $500,000 sublimit.
3.2Technology Errors and Omissions (Tech E&O).

Limits: $2,000,000 each claim / $2,000,000 aggregate (may share with Cyber tower). Retention: $25,000. Must cover negligent acts/errors/omissions in software development, failure of platform to perform as intended, third-party-vendor failures attributable to Hardline, breach of warranty regarding platform function, and IP infringement (other than patent) in user-generated content.

3.3Directors and Officers (D&O).

Limits: $3,000,000 each claim / $3,000,000 aggregate. Retention: $25,000 non-indemnifiable, $100,000 indemnifiable, $0 for Side A. Sides A/B/C; Side A DIC wrap once board is formed.

Required endorsements: (a) affirmative regulatory-defense coverage for CIDs, subpoenas, and inquiry letters from any U.S. regulator; (b) deletion or narrowing of insured-vs-insured exclusion; (c) full personal-conduct severability and severability of application; (d) deletion of any professional-services exclusion that swallows regulatory action; (e) narrowing of regulatory-fine exclusion to preserve defense-cost coverage even where the underlying fine is uninsurable; (f) entity-investigation coverage at least $250,000 sublimit.

3.4Crime / Commercial Crime / Fidelity Bond.

Limits: $250,000 minimum (Hardline preference $500,000). Retention: $5,000. Coverage for employee theft, computer fraud, funds-transfer fraud, social engineering, forgery, and money-and-securities.

3.5Commercial General Liability (CGL).

Limits: $1,000,000 each occurrence / $2,000,000 general aggregate / $2,000,000 products-completed-operations aggregate. Retention: $0. Bodily injury, property damage, personal and advertising injury, medical payments.

3.6Employment Practices Liability (EPLI).

Defer until first W-2 hire. Then: $1,000,000 each claim / $1,000,000 aggregate, $10,000 retention, third-party-discrimination coverage, wage-and-hour defense $250,000.

3.7Property and Workers’ Compensation.

Defer until office or hires. Workers’ comp statutorily required upon first employee in most states.

4.Exclusions to Negotiate Out (or Narrow)

  • BIPA / biometric exclusion. Hardline does not retain biometrics; Stripe Identity is the controller. Negotiate deletion; if refused, accept only with defense-cost-only carve-back of at least $250,000.
  • California exclusion. Delete or substantially narrow; California user exposure is significant.
  • Regulatory-fine exclusion. Narrow to fines uninsurable as a matter of public policy; preserve defense-cost coverage in all cases.
  • Unencrypted-data / failure-to-maintain-standards exclusion. Require gross-negligence trigger; preserve 30-day patch-grace carve-back.
  • War / state-sponsored cyber exclusion. Post-Merck v. ACE: demand LMA5564 or equivalent “cyber operations” clause preserving coverage for non-attributable nation-state attacks.
  • Conduct exclusions. Final-adjudication trigger only (not “in fact”, not allegations); personal-conduct severability; application severability.
  • Insured-vs-insured. Narrow as in §3.3.

5.Required Endorsements

  • Full prior-acts coverage back to incorporation date.
  • Broad regulatory-defense endorsement for FTC, CFPB, SEC, DOJ, AGs, state banking departments, DFPI, state real-estate commissions, state insurance departments.
  • Affirmative ransomware coverage; no “intentional act” exclusion for ransom payment.
  • Bilateral ERP option of at least 12 months at no more than 100% of expiring premium; 36-/72-month options pre-negotiated for change of control.
  • Worldwide territory and jurisdiction with worldwide-suit coverage (subject to sanctions screening).
  • Choice of counsel for breach response; panel rates pre-negotiated.
  • Vendor / dependent-BI with named-vendor list: Supabase, Vercel, Stripe, Cloudflare, Resend, GitHub, Sentry.
  • Investigation-cost coverage for subpoenas, CIDs, and informal regulatory inquiries that have not ripened into formal claims.

6.Underwriter Questionnaire — Pre-Answers

  • MFA: required for all administrative consoles; user TOTP available.
  • Encryption: TLS 1.2+ in transit; AES-256 at rest (database, storage).
  • IRP: written, tested annually; published at /legal/incident-response. Breach matrix at /legal/breach-notification-matrix.
  • Vendor management: inventory in WISP; DPAs executed with all data-handling vendors; annual reviews.
  • Training: security/privacy at onboarding and annually; phishing simulations quarterly.
  • Backup: Supabase PITR 7 days; daily snapshots 30 days; weekly 90 days; document store versioned.
  • Endpoint: full-disk encryption on all admin workstations; MDM on company-issued devices upon first hire.
  • Network: Cloudflare WAF with managed rules; rate-limiting; bot mitigation; Vercel DDoS; Supabase RLS on all production tables.
  • Access controls: least-privilege; production DB requires SSO + MFA + audit logging; code-review for all production deploys.
  • Logging/monitoring: Sentry, Vercel, Supabase logs; alerting on anomalous activity.
  • Pen test: annual; first within 90 days of public launch.
  • Background checks: on employees and contractors with production access.
  • Patch management: Dependabot / Snyk; critical patched within 7 days; high within 30.
  • Prior claims / regulatory inquiries / litigation: None.

7.Carriers and Approximate Premium Ranges

  • Cyber + Tech E&O combined ($2M/$2M): $4,500–$12,000/year. Coalition, At-Bay, Resilience, Embroker, Cowbell, Corvus, Beazley, Tokio Marine HCC.
  • D&O ($3M/$3M): $5,000–$18,000/year pre-financing. AmTrust, Hiscox, Travelers, Beazley, Berkley, AIG.
  • Crime ($250K–$500K): $1,000–$3,000/year. Travelers, Hartford, Chubb, Federal.
  • CGL ($1M/$2M): $500–$1,500/year. Hartford, Travelers, Hiscox, NEXT.
  • Umbrella ($5M): $1,500–$3,500/year. Defer to year two.
  • Total budget pre-launch: $11,000–$34,500 first-year all-in.

8.Renewal Cadence

  • Year two: Add umbrella ($5M–$10M); add EPLI on first hire; consider increasing cyber to $3M–$5M.
  • Post-priced-round: D&O likely needs $5M–$10M with Side A DIC wrap.
  • Post-revenue $5M: Reassess cyber sublimits, particularly business interruption and dependent BI.
  • Each renewal: Review prior-acts retroactive date (must roll forward, not reset).

9.Notice of Claim Procedures

9.1What constitutes a claim or potential claim.
  • Any written demand for money, services, or non-monetary relief.
  • Any subpoena, CID, or formal regulatory inquiry letter.
  • Any actual or threatened lawsuit, arbitration, or administrative proceeding.
  • Any incident under the Incident Response Plan classified P0 or P1.
  • Any data-security event likely to require notification to any regulator or affected individual.
  • Any threat letter from counsel, journalist inquiry indicating a coming story, or social-media campaign at scale.
  • Any director or officer becoming aware of facts that could give rise to a claim in their corporate capacity.
9.2When to notify.

Hardline’s internal target: notice within five (5) business days of CEO awareness. For P0 incidents, notice within twenty-four (24) hours.

9.3What not to do.
  • Do not admit liability, settle, or agree to pay anything without carrier consent.
  • Do not engage counsel of choice without confirming carrier panel rules.
  • Do not discuss externally except with counsel and carrier representatives.
  • Do not delete documents related to the matter; Litigation Hold Policy attaches automatically.

10.Broker Deliverables

  • Side-by-side comparison of at least three (3) bound quotes against this specification.
  • Redline of each policy form against the specification, highlighting deviations.
  • Confirmation of full prior-acts coverage and roll-forward of retroactive date on renewal.
  • Loss-runs / no-loss-letter draft.
  • Annual carrier-stewardship report.
  • 24/7 claim-notice hotline and broker after-hours contact.
  • Pre-binding sit-down with the CEO to review terms, exclusions, and notice procedures.