Bonafidus Request access
Trust infrastructure for independent insurance agents

Operate in good faith.
Prove it on demand.

Most independent agents handle Medicare Beneficiary Identifiers, prescription histories, and enrollment decisions every day — on personal Gmail accounts that have never signed a Business Associate Agreement. Bonafidus closes that gap.

Request access What you get
Regulation 42 CFR § 422 Subpart V
Recordkeeping 10-year retention
BAA chain Customer · Platform · Workspace · AWS
Agent Office Status
Google Workspace Email, Drive, and Vault configured
Ready
Consent Records Scope of Appointment archive, 10-yr retention
128
Website Branded pages with auto-applied disclaimers
Live
Record Vault S3 Object Lock, encrypted, audit-ready
10 yr

The stakes

Your current setup carries unbounded liability.

01

HIPAA exposure

Personal Gmail and Yahoo accounts cannot sign a Business Associate Agreement. Every beneficiary email containing a Medicare number is technically a HIPAA violation.

$137 — $50,000+ per violation. $2.13M annually per category.

02

CMS marketing rules

As a TPMO under 42 CFR §§ 422.2260 and 423.2260, you must auto-apply disclaimers, language assistance notices, and stay clear of prohibited language. Generic website builders won't help you here.

Violations can trigger carrier termination.

03

Recordkeeping failures

CMS requires 10-year retention of sales and enrollment communications and signed Scope of Appointment forms. Personal email and paper folders cannot defensibly satisfy this in an audit.

Audits are no longer a remote possibility.

04

Annual rule changes

CMS publishes new requirements every contract year. CY2026 added language assistance notices. CY2027 may modify SOA timing. Solo agents cannot reliably track these.

By the time you hear about a rule change, it's already in effect.

What we provide

One managed setup. The full chain.

A single subscription replaces five fragile pieces of infrastructure with one defensible foundation.

I

Custom domain

Registered through us, owned by you. Cleanly transferable on cancellation — your brand never gets held hostage.

Managed DNS
II

Google Workspace with full BAA chain

Business Plus tenant. BAA signed between you, us, the reseller, and Google. Vault retention configured for the 10-year CMS recordkeeping requirement. MFA enforced. Sharing locked down.

Workspace Business Plus
III

Compliance-aware professional website

Designed to stay on the communications side of the CMS line — avoids the marketing classification that triggers HPMS filing requirements. Auto-applied TPMO disclaimers and language assistance notices on every page.

42 CFR § 422.2267
IV

Embedded Scope of Appointment capture

Digital SOA with electronic signature, tamper-evident PDF generation, and 10-year encrypted retention under S3 Object Lock. Audit-ready, retrievable, defensible.

42 CFR § 422.2274
V

Annual rule update propagation

When CMS publishes new disclaimer language or content requirements, your account updates automatically. You wake up compliant — without doing anything.

Continuous

Compliance is your responsibility. We give you the infrastructure that makes it achievable instead of accidental.

We are not a compliance platform. We do not certify anyone's compliance posture. The agent remains the TPMO and remains responsible for their obligations under federal regulation.

We are compliance-supporting infrastructure. Our job is to make the technical foundation defensible: domain, email, website, recordkeeping. Your job is to do the work right.

Together, that's a setup that holds up to a carrier audit on the worst day of your career.

Pricing

One tier. One price. No upsell theater.

Founding tier

For independent agents launching now.

Setup

$299

One-time

Monthly

$129

Recurring

Included

  • Custom domain with managed DNS
  • Google Workspace Business Plus (1 user) with BAA chain
  • Five-page professional website
  • Auto-applied TPMO disclaimers and language notices
  • Embedded Scope of Appointment capture
  • 10-year encrypted recordkeeping under S3 Object Lock
  • Annual CMS rule update propagation
  • 48-hour delivery from intake completion

Not included

  • Compliance certification or guarantee
  • Legal advice on your obligations
  • Custom design beyond template
  • Tech support for personal devices
  • Email migration (available as $199 add-on)
  • Plan-specific marketing pages (out of scope by design)
Request access

First five customers receive founder pricing — $99/month for life — in exchange for honest feedback.

Built by

An independent project. Not affiliated with any FMO or carrier.

Bonafidus is built by Mac McNeel. The platform is intentionally FMO-agnostic — we serve independent agents who want their compliance infrastructure to be portable, defensible, and theirs.

Reach out directly: info@bonafidus.com

Request access

Tell us what you're using today.

Three minutes. We follow up personally — no automated drip sequences.