Security and Privacy at VeteranHQ
Veterans trust us with their most sensitive records. We treat that trust as our only license to operate.
Below: our compliance posture, the vendors that touch your data, how to report a security issue, and what is available to enterprise buyers under NDA.
Compliance Posture
We apply the HIPAA Security Rule's administrative, technical, and physical safeguards (45 CFR Part 164, Subparts A and C) to the systems that handle Protected Health Information. For direct-to-consumer use by individual veterans, VeteranHQ is not a HIPAA covered entity — we apply these safeguards as a matter of policy, not legal obligation. For law-firm customers who engage us as a Business Associate, we meet the obligations of 45 CFR §164.504(e), including flow-down to our own sub-processors.
BAAs signed with every vendor that handles PHI.
- Amazon Web Services, Inc. — compute, object storage, AI embeddings, OCR. BAA executed 2026-03-17.
- Anthropic, PBC — AI model inference for AIDEN, Zero Data Retention enabled. BAA executed 2026-03-28.
PHI-bearing workloads are architecturally restricted to BAA-covered services. Non-BAA vendors (Stripe, Vercel, Resend, Sentry, Slack) are prevented from receiving PHI by design — see the Sub-Processors table below.
SOC 2: No SOC 2 Type I or Type II attestation is in place. We have not initiated an audit engagement. We will say so here rather than claim a framework we do not hold.
Penetration testing: Last internal security sprint completed 2026-04-18 (18 PRs). External penetration test planned once B2B revenue justifies the engagement.
Controls Aligned with SOC 2 Trust Service Criteria
VeteranHQ implements controls across all five SOC 2 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) as defined by the AICPA Trust Services Criteria (TSP 100). External attestation (SOC 2 Type I) is planned once B2B revenue justifies the audit engagement; we do not claim an attestation we do not hold. The tables below map our in-production controls to the applicable TSCs and the HIPAA citation each operationalizes. Every row cites a backing policy from our 25-policy HIPAA program.
Security (Common Criteria, CC)
| TSC | Control | Implementation | HIPAA | Policy |
|---|---|---|---|---|
| CC6.1 | Logical access control | Role-based access (veteran / attorney / firm admin / admin / superadmin); password + optional TOTP MFA; requireAuth + requireRole + requireResourceOwner middleware on every PHI route | §164.312(a), §164.312(d), §164.308(a)(4) | SV-TECH-14, SV-TECH-17, SV-ADMIN-04 |
| CC6.3 | Access changes tied to role changes | Documented onboarding/off-boarding checklists; JWT rotation on workforce departure; quarterly access review | §164.308(a)(3)(ii)(B)–(C) | SV-ADMIN-03, SV-TECH-14 |
| CC6.7 | Transmission of sensitive information | TLS 1.2+ with TLS 1.3 preferred (TLS 1.0/1.1 disabled); HSTS preload; modern cipher suite allowlist; SSE-AES256 on S3 at rest | §164.312(e) | SV-TECH-18 |
| CC6.8 | Detection of unauthorized software | Trivy image scan in CI on every push; npm audit gate; pinned base images refreshed quarterly; software-installation attestation | — | SV-OPS-25, SV-PHYS-11 |
| CC7.2 | Monitoring of system components | Append-only audit_log table on every PHI route via onResponse middleware; 6-year retention per §164.530(j); S3 Object Lock compliance mode on audit archive | §164.312(b) | SV-TECH-15 |
| CC7.3 | Anomaly detection and evaluation | Sentry backend + frontend with beforeSend PHI scrubber; quarterly Information System Activity Review surfacing volume and off-hours anomalies | — | SV-ADMIN-01 §4, SV-TECH-15 |
| CC7.4 | Security incident response | Documented Incident Response Plan with 4-factor breach analysis; quarterly tabletop exercises; 24-hour BA-to-CE notification commitment | §164.308(a)(6), §164.410 | SV-ADMIN-06, SV-ADMIN-09 |
| CC8.1 | Change management | GitHub PR → peer code review → CI (typecheck + lint + test + Trivy) → CD (blue-green deploy with 30s SSE drain + smoke test + auto-rollback) | §164.308(a)(8), §164.312(c)(1) | SV-OPS-25 |
Availability (A)
| TSC | Control | Implementation | HIPAA | Policy |
|---|---|---|---|---|
| A1.2 | Environmental and system failure recovery | Daily PostgreSQL pg_dump to S3 us-east-1 with SSE-KMS; weekly cross-region copy; Glacier tiering (30d → 1y → Deep Archive 6y); blue-green deploy with auto-rollback on failed smoke test | §164.308(a)(7)(ii)(A)–(C) | SV-ADMIN-07 |
| A1.3 | Recovery plan testing | Annual full DR test (next: 2027-04-18); quarterly partial restore + backup-integrity gzip check; DR-test reports retained 6 years | §164.308(a)(7)(ii)(D) | SV-ADMIN-07 §5 |
Processing Integrity (PI)
| TSC | Control | Implementation | HIPAA | Policy |
|---|---|---|---|---|
| PI1.1 | Input validation | Zod schema validation on every request body and route param; Prisma parameterized queries (no raw SQL with user input) | — | SV-TECH-16 §4.1 |
| PI1.2 | Data accuracy and completeness | PostgreSQL with data_checksums=on, synchronous_commit=on, WAL durability; foreign-key enforcement; AES-256-GCM AEAD auth-tag verification on every decrypt; prisma.$transaction for multi-table mutations | §164.312(c), §164.312(c)(2) | SV-TECH-16 |
| PI1.3 | Authorized processing | Signature-verified webhooks — Stripe stripe.webhooks.constructEvent HMAC-SHA256 + Redis event-ID idempotency; JWT auth on every mutation; append-only audit_log of who-changed-what-when | §164.312(d) | SV-TECH-17, SV-TECH-18 §5.5 |
Confidentiality (C)
| TSC | Control | Implementation | HIPAA | Policy |
|---|---|---|---|---|
| C1.1 | Identification and protection of confidential information | Column-level AES-256-GCM via Prisma $extends hooks (encrypt on create/update/upsert; decrypt on read); per-operation 12-byte IV, 128-bit auth tag; S3 SSE-AES256 at rest; EBS AWS-managed encryption | §164.312(a)(2)(iv), §164.312(e)(2)(ii) | SV-TECH-14 §5.4 |
| C1.2 | Secure disposal | NIST SP 800-88 cryptographic erase (FileVault / BitLocker key destruction on workstation decommission); S3 lifecycle expiry + MFA Delete on versioned buckets; key destruction as the primary sanitization mechanism | §164.310(d)(2)(i)–(ii) | SV-PHYS-13, SV-OPS-23 |
| C1.2 | Sub-processor controls | BAAs executed with AWS (2026-03-17) and Anthropic (2026-03-28, ZDR + HIPAA-Ready); architectural restriction preventing PHI from reaching non-BAA vendors (Stripe, Vercel, Resend, Sentry, Slack); outbound PHI-redaction envelopes for Slack / Resend; beforeSend PHI scrubber for Sentry | §164.308(b), §164.502(e) | SV-ADMIN-09, SV-OPS-24, SV-PRIV-20 |
Privacy (P)
| TSC | Control | Implementation | HIPAA | Policy |
|---|---|---|---|---|
| P1.1 | Notice to data subjects | Public Privacy Policy with sub-processor disclosure (§5); public trust page (this document) disclosing compliance posture | §164.520 (conditional on CE trigger) | SV-PRIV-21 |
| P3.1 | Collection limitation | Minimum-necessary data collection enforced by role-based access classes (V/A/F/X/S); AI-pipeline minimum necessary (Anthropic BAA + ZDR; Bedrock BAA); no PHI collected beyond product function | §164.502(b), §164.514(d) | SV-PRIV-20 |
| P4.1 | Individual right of access | Self-service data export at GET /v1/users/me/export returning JSON bundle of user-owned PHI; export event itself audited | §164.524 | SV-PRIV-22 §4.2 |
| P4.2 | Individual right to amend | Self-service amendment for user-editable fields (name, email, profile); Privacy Officer-mediated amendment process for AIDEN-generated and admin-entered derived data | §164.526 | SV-PRIV-22 §4.3 |
| P5.1 | Accounting of disclosures | audit_log table functions as the data feed for §164.528 accounting requests; Privacy Officer response SLA under SV-PRIV-22; audit-of-audit pattern prevents silent deletion | §164.528 | SV-TECH-15, SV-PRIV-22 §4.4 |
| P6.5 | Retention and disposal | Three-tier retention schedule — Tier 1 program docs (6-year floor per §164.316(b)(2)(i) / §164.530(j)); Tier 2 PHI by category (Account 6y, ChatMessage 3y, VeteranDocument 7y, AuditLog 6y, query_analytics 1y); Tier 3 backups (hot S3 30d → Glacier 1y → Deep Archive 6y) | §164.316(b)(2)(i), §164.530(j)(2), §164.310(d)(2) | SV-OPS-23 |
Sub-Processors
We engage a limited set of service providers to operate VeteranHQ. Vendors that handle Protected Health Information are covered by signed Business Associate Agreements. Vendors that do not handle PHI are prevented from receiving it by design.
| Vendor | Purpose | Handles PHI? | BAA |
|---|---|---|---|
| Amazon Web Services, Inc. | Compute, object storage, AI embeddings, OCR | Yes | Signed 2026-03-17 |
| Anthropic, PBC | AI model inference (Claude) with Zero Data Retention | Yes | Signed 2026-03-28 |
| Stripe, Inc. | Subscription billing and payment processing | No | Not required — payment processor exemption (45 CFR §164.501) |
| Vercel, Inc. | Frontend hosting (static assets and CDN only) | No | Not required — architectural guarantee |
| Resend (Resend.com, Inc.) | Transactional email | No | Not required — no PHI transmitted |
| Slack Technologies, LLC | Internal engineering notifications and help desk | No | Not required — no PHI transmitted |
| Sentry (Functional Software, Inc.) | Backend error monitoring | No | Not required — no PHI transmitted |
| U.S. Department of Veterans Affairs — Lighthouse APIs | Federal data source (on veteran's OAuth consent) | Yes | Not applicable — federal system; veteran is the data subject |
For the full sub-processor list including CDN, analytics, and internal engineering tools that do not touch your data, see Privacy Policy §5.
Breach Notification
If we confirm a reportable breach of unsecured PHI, we will notify affected individuals without unreasonable delay and in no case later than sixty (60) calendar days after discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR §164.404). Where operationally feasible, we aim to notify within seventy-two (72) hours of confirmation.
Reporting Security Issues
If you believe you have discovered a security vulnerability in any VeteranHQ production system, please email security@veteranhq.app.
What to include
- A clear description of the issue and the affected endpoint, page, or component.
- Steps to reproduce, proof-of-concept payloads, or screenshots if applicable.
- Your preferred contact method and whether you would like to be credited.
What you can expect from us
- Acknowledgment within three business days.
- A good-faith effort to triage, assess severity, and remediate.
- A follow-up once the issue is fixed, including whether public disclosure coordination is appropriate.
Safe harbor
VeteranHQ will not pursue legal action against researchers who act in good faith, follow this policy, and limit their testing to what is necessary to demonstrate an issue. Good-faith research means: no data destruction or modification, no access to user data beyond what is incidentally observed during reproduction, no social-engineering of our staff or customers, no physical testing, no denial-of-service, and no interference with other users of the service.
In scope
veteranhq.app,legal.veteranhq.app,api.veteranhq.appand their subdomains we own.- The VeteranHQ Chrome extension listed in the Chrome Web Store.
Out of scope
- Denial-of-service, volumetric testing, or any activity that impacts availability.
- Social engineering of VeteranHQ staff, customers, or vendors.
- Physical security testing.
- Attacks against third-party infrastructure we do not control (AWS, Anthropic, Stripe, etc.) — report those directly to the vendor.
- Findings that require root or privileged access already.
- Best-practice reports without a demonstrable impact (e.g., missing security headers with no exploitable chain, SPF/DKIM observations, outdated library versions without a known exploit path).
We are a small team and do not currently offer monetary bounties. We do offer public acknowledgment (if you wish) and a named credit in our responsible-disclosure hall-of-fame once a pattern of reports warrants one.
For Enterprise Due Diligence
Law firms, institutional partners, and federal agencies evaluating VeteranHQ often require documentation that is not appropriate to publish. The following are available under a mutual non-disclosure agreement:
- Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
- Incident Response Plan, Disaster Recovery Plan, Business Continuity Plan
- Written Information Security Program and policy set (25 policies covering the HIPAA Security Rule)
- Most recent workforce training acknowledgment records
- Downstream Business Associate Agreement template
- Sub-processor flow-down acknowledgments
To request: email sales@veteranhq.app with the artifacts you need and the legal entity the NDA will be executed under. We return signed NDA + requested artifacts within five business days.
Last updated: April 18, 2026 · Version 1.0
Signed,
The VeteranHQ team