Public-facing documentation for Velora Billing. Engineering-internal files (HITRUST.md, ARCHITECTURE.md, RUNBOOK.md, BILLING_ROADMAP.md) live in the source repo and are sent under NDA on request.
/docs/apiREST endpoints, auth, rate limits, pagination, error shapes, webhook events + signature verification, Slack/Teams native webhook support.
/trustHITRUST readiness, SOC 2 plan, BAA process, controls list, honest gap list. Every claim links to in-repo evidence.
/subprocessorsFull vendor list with purpose, region, PHI status (Yes / Conditional / No), BAA status. Updated when subprocessors change.
/privacyWhat PHI we touch, how it's protected, what we explicitly do NOT do. Authoritative DPA on request.
/dpaRoles, subprocessor change notice, breach notification cadence (72h HIPAA + GDPR-aligned), SCCs.
/termsOverview only — the controlling document is the executed MSA + BAA, sent on request.
/changelogCustomer-visible release notes. Engineering-internal log lives in the repo.
/.well-known/security.txtMachine-readable disclosure entry-point. 90-day SLA on confirmed issues.
Email hello@hellovelora.com. Procurement questionnaires (CAIQ, SIG, HECVAT) and the full DPA + BAA + MSA package are sent within 5 business days under NDA. Security researchers email security@hellovelora.com — 90-day SLA, see /SECURITY.md.