Security

HIPAA-grade by default.

Security isn’t an add-on. It’s the load-bearing primitive of the product. AES-256-GCM at rest, TLS 1.2+ in transit, hash-chained audit log on every admin action, PGP-wrapped SFTP transport — the baseline ships on every plan, including the free carrier tier.

View the BAATalk to compliance
01 The security baseline

Six pillars, none of them optional.

Encryption

Every PHI field, every transmission.

Encryption is the load-bearing primitive. We don't make it configurable.

  • AES-256-GCM at rest on every PHI field
  • TLS 1.2+ in transit · TLS 1.3 preferred
  • API keys hashed with SHA-256 · never plaintext
  • PGP-wrapped SFTP with key-based authentication
  • Per-tenant data encryption keys · KMS-managed
Access controls

Authorization at every layer.

Authorization checks run at the application layer AND at the database layer. Belt-and-suspenders on every PHI read.

  • Role-based access control (RBAC) for dashboard users
  • API key authentication with per-client rate limiting
  • Row-level security (RLS) at the Postgres layer
  • MFA required for administrative access
  • Impersonation gating with 15-minute countdown + reason gate
Audit + observability

Tamper-evident, not just append-only.

Hash-chained audit log captures every admin action and every PHI access. Cryptographic chain — modifying a row breaks the chain forensically.

  • Hash-chained audit log (migration 0012)
  • Per-PHI-access audit emit · cryptographically chained
  • Sentry-integrated structured logging
  • Per-tenant impersonation_sessions table with 15-min TTL
  • AI anomaly alerter on rejection-rate spike + novel reason codes
Infrastructure

Hosted on SOC 2 Type II infrastructure.

Vercel for the application layer, Neon Postgres for storage, Upstash Redis for distributed rate-limiting. No PHI ever lands in edge caches or CDN layers.

  • Vercel · SOC 2 Type II certified
  • Neon Postgres · automated backups + PITR
  • Upstash Redis · distributed rate-limiting (no PHI)
  • PHI explicitly excluded from edge cache layer
  • SFTP host allowlist enforced before any transmission
Incident response

Detection + breach notification + retention.

Detection running every 5 minutes. Breach notification ready under HIPAA's 60-day window. Retention policies operator-configurable per tenant.

  • Automated breach detection · 5-minute cadence
  • 60-day breach notification plan · HIPAA-compliant
  • Per-tenant retention policy with automated purge
  • Incident severity gates triggered on real-data presence
  • Runbook: docs/ops/anomaly-alerts-runbook.md
Software supply chain

Dependency hygiene + audit posture.

Dependency upgrades sequenced through a documented deferral policy. CI gates on `npm audit --audit-level=high`. Moderate-tier deferrals tracked publicly.

  • CI fails on any high-severity npm audit finding
  • Deferral docs published in `docs/security/`
  • TypeScript strict mode + ESLint custom rules
  • Cross-product `@velora/audit` shared utility package
  • Migration 0055 dropped legacy audit_log orphan (Path A)
02 The proof

Verifiable claims, not marketing copy.

0
Plaintext PHI at rest

Every PHI field encrypted with AES-256-GCM before persistence. Per-tenant data keys managed by KMS. We can’t read your members’ SSNs even if we wanted to.

Hash-chained audit log

Every admin action and every PHI access cryptographically chained. Modifying a historical row breaks the chain forensically and is detectable on the next audit replay.

0055
Migrations applied

55 schema migrations, hash-chained, idempotent, paired with rollbacks. Dropped legacy audit-table orphan in migration 0055 (Path A reconciliation).

5m
Anomaly detection cadence

AI anomaly alerter scans rejection rates, novel reason codes, and volume anomalies every 5 minutes. Alerts route to your webhook + Slack on threshold breach.

03 Compliance posture

Where we are and where we’re going.

Today

HIPAA + BAA · production-ready

HIPAA technical safeguards covered by the security baseline. BAA included on every paid plan. Compliance team responds to inquiries at hipaa@veloraedi.com.

In progress

SOC 2 Type II · evidence collection

Audit window opened. Evidence collection underway. Target completion Q4 2026. Penetration test summary available under NDA.

Scoped

CAQH CORE Phase II · operator decision

Some carriers require CAQH CORE Phase II certification; many don’t. Operator decision pending: certify ($15–30K, 2–4 mo) or document a per-carrier impact map and skip.

Always-on

Dependency audit hygiene

CI fails on any high-severity npm audit finding. Moderate-tier deferrals tracked publicly with mitigation rationale. Reviewed weekly.

Need the paperwork? Compliance routes here.

BAA, SOC 2, pen test summary, custom contract language — all in one inbox so the back-and-forth doesn’t fragment.

View the BAAhipaa@veloraedi.comHIPAA overview