The boring kind of secure.
Veladoma stores Medicaid PHI, household payment data, and the home addresses of vulnerable people. We treat that as the highest-stakes job we have. No marketing language on this page — just what we do, who’s audited it, and how to reach our security team.
Our SOC 2 report is 240 pages — yours on request after a mutual NDA. Below is the human version, organized by what an operations manager actually wants to confirm before signing.
Twelve controls, written in plain English.
AES-256 at rest, TLS 1.3 in transit.
Database, object storage, and backups all encrypted. Customer-managed encryption keys (CMEK) available on Veladoma One.
Logical isolation per organization.
Every query is row-scoped to your org ID at the database level. Private US data residency available on Veladoma One.
SSO, MFA, RBAC, field-level permissions.
Okta, Azure AD, and Google Workspace SSO. MFA enforceable per-role. Caregiver SSNs masked by default below admin.
Immutable audit trails — 7 years.
Every read and write to PHI is logged with actor, IP, device, and timestamp. Export to your SIEM via webhook or daily SFTP.
Continuous, point-in-time, 30 days.
RPO ≤ 5 minutes, RTO ≤ 1 hour. Backups stored in a second AWS region with separate key material.
Snyk + Trivy on every build.
Critical CVEs blocked from production. Quarterly third-party penetration tests by NetSPI. Public report on request.
US-based. Background-checked. Trained.
All engineers are W-2 employees in the US. Annual HIPAA training. Production access limited to on-call rotation, time-boxed.
Twelve subprocessors, listed publicly.
AWS, Stripe, Twilio, Anthropic (Claude), Sandata, HHAeXchange, Tellus, CareBridge, Resend, Datadog, Linear, Notion. BAA with each PHI handler.
Claude calls run zero-retention.
Anthropic's zero-retention API endpoint. No model training on your data, ever. PHI is redacted before any non-clinical AI call.
Active-passive across two AWS regions.
us-east-2 primary, us-west-2 warm standby. Annual failover drill. Last drill: 2026-Q1, 38-minute RTO observed.
Family portal access requires explicit consent.
Caregivers, patients, and family members each have separate consent flows for record sharing, with revocation honored within 1 business day.
State retention rules respected first.
Medicaid retention is 7 years per state. After that window, customer-initiated deletion is irreversible within 30 days.
From caregiver phone to state aggregator.
Annotated. The TLS-encrypted hops, the regions, the retention windows. If a CISO is reviewing this, they’re looking for this diagram. Here it is.
- 01Caregiver device (iOS/Android) → TLS 1.3 → Veladoma API (us-east-2)
- 02Veladoma API → row-scoped queries → Database (AES-256 at rest, us-east-2)
- 03Veladoma API → direct API → State aggregator (Sandata / HHAeXchange / Tellus / CareBridge)
- 04PostgreSQL → continuous backup → S3 (us-east-2) + S3 (us-west-2, separate key)
- 05PHI audit log → Datadog (BAA) → customer SIEM (optional webhook / SFTP)
What we owe you if something breaks.
Every plan includes the same response. We don’t reserve faster response times for bigger logos. The named on-call engineer below is who paged you last quarter.
Pager fires.
Datadog or customer report triggers PagerDuty. On-call acks within 5 minutes, 24/7. Carmen carries the secondary.
Status page updated.
status.veladoma.com gets the first post within 15 minutes whether or not we know the cause. We update every 30 minutes until resolved.
Customer comms.
If your data is even potentially affected, you get an email and a call from a human within 60 minutes. Not a templated breach notice.
Postmortem published.
Blameless postmortem within 5 business days, posted publicly to /trust/incidents and emailed to affected customers. No PR-speak.
Found something? Tell us.
We run a coordinated disclosure program. Responsible reports get a same-day human reply, a CVSS-tracked timeline, and a swag package shipped wherever you live. No legal threats, ever.