In progress
Targeting e1 (essentials) → i1 (interim) → r2 (full) on the standard cadence. Open evidence and remediation plan in HITRUST.md (sent on request). Not yet certified.
We sell to employers, brokers, and PEOs who need a defensible answer for their auditors. This page is what's actually in production today — followed by what's underway. No green-checkmark theater, every claim links to an artifact.
Targeting e1 (essentials) → i1 (interim) → r2 (full) on the standard cadence. Open evidence and remediation plan in HITRUST.md (sent on request). Not yet certified.
No report yet. Readiness plan and in-flight controls list available under NDA.
Standard mutual BAA; we sign before your first invoice upload. PHI fields (SSN last-4, member name, DOB) are encrypted at rest via AES-256-GCM (@velora/crypto) with a per-field HMAC index for searchable encryption. See SECURITY.md §Cryptography.
Anthropic · Neon · Vercel · Resend · Reducto · Stripe · Upstash. Full list with BAA status sent on request. Stripe is platform-billing only — never receives PHI. See /subprocessors.
Every mutation is chain-hashed (SHA-256, prevHash → hash). Detection at the app layer, immutability triggers at the DB layer.
SSN-last-4, member name, DOB encrypted with AES-256-GCM. Decryption requires the running service; raw DB dumps don't surface PHI.
Every query carries tenantId. Cross-tenant reads are tested and CI-gated.
Upstash Redis (@velora/rate-limit) on every public endpoint. Per-IP and per-user buckets.
Premium accruals, retro adjustments, and reversals never overwrite history.
Every event ships with X-Webhook-Signature so your endpoint can verify origin.
Backup codes hashed. Tenants can require MFA org-wide; policy is enforced server-side, not client-side.
Owner-only page flags privileged accounts without MFA, dormant accounts, never-signed-in accounts. Export logs an AuditEvent as sign-off evidence.
SIEM / audit-log alerting — the chain-hashed ledger exists; nothing watches it for anomalies yet. (HITRUST §3 item #5.)
DB-level immutability triggers on AuditEvent — migration written, apply pending.
Annual third-party penetration test — budgeted; first engagement Q3 2026.
Endpoint management baseline — MDM + EDR rollout in progress.
Vendor BAAs — every PHI-touching subprocessor on the list has a path to BAA execution; not all are countersigned today.
90-day SLA on confirmed issues. Scope, threat model, PGP info in SECURITY.md — also at /.well-known/security.txt.
CAIQ / SIG / HECVAT response within 5 business days under NDA. Recent answer set on request.
Mutual BAA template; standard enterprise MSA. Both sent before your first PHI upload.