Security & Compliance

Compliance is identity,not afterthought.

Health Insurance Portability and Accountability Act (HIPAA) aligned controls, ISO 27001:2022 (60+ Annex A controls · certification target Q4 2026), SOC 2 Type II (report target Q1 2027), FDA non-Device Clinical Decision Support, and PSYPACT 51-state telehealth tracker. BAA available on every paid plan day 1.

Request BAA ISO 27001 controls

The compliance stack

Every regulation, handled at the architecture layer.

Six compliance pillars built into the product. Not checked at deployment and forgotten.

HIPAA-aligned controls

AES-256 encryption at rest on all PHI
TLS 1.3 minimum for data in transit
Multi-factor authentication enforced for all PHI-access roles · TOTP per RFC 6238 / NIST SP 800-63B AAL2 · programmatic login gate (no bypass)
Automatic session logoff · 15-minute idle timeout + 12-hour absolute session ceiling · HIPAA § 164.312(a)(2)(iii) · CMIA · HB 300 · NIST SP 800-63B AAL2
Immutable audit logs · every access recorded · 6-year retention per Security Rule § 164.312(b)
Business Associate Agreement included on every paid plan, day 1
Breach notification per 45 CFR § 164.400-414 · internal target 48h
Role-based access control per clinician and per clinic

FDA Non-Device CDS

Cures Act § 3060 (21 U.S.C. § 360j) qualified
Criterion 1: NOT for time-critical decisions
Criterion 2: NOT for use with implants
Criterion 3: Displays/analyzes clinical info from EHR/literature
Criterion 4: Clinician can independently review every recommendation basis
Result: No FDA 510(k) clearance required

PSYPACT 51-State

All 50 states + DC tracked in real time
40 PSYPACT member states + 11 non-PSYPACT
Telepsychology authorization verified per session
Out-of-state client? Flagged before session start
Authorization certificate auto-generated per session
Cross-checked against NPI registry on login

988 Crisis Lifeline

988 Suicide & Crisis Lifeline · one-click handoff
Veterans Crisis Line · auto-detected for VA patients
Crisis Text Line · embedded in patient portal
Trevor Project · auto-surfaced for LGBTQ+ patients
Handoff document auto-generated with full context
All escalations logged with audit trail

Mental Health Parity

MHPAEA 2008 baseline checks
2020 Final Rule NQTL comparative analysis
Consolidated Appropriations Act 2021 compliant
10 automated parity checks on each denial
Auto-generates appeals citing Wit v. UnitedBehavioral (2019)
Tracks denial patterns per payer

Mandatory Reporting (50 states)

All 50 states · rules updated continuously
Tarasoff duty-to-warn + state variants
Child abuse reporting per state thresholds
Elder abuse / dependent adult abuse (APS)
IPV: mandatory vs. discretionary by jurisdiction
Pre-populated reporting forms where legally permitted

Cybersecurity practices

Security is engineering discipline. Not a checkbox.

Vertix was built from the ground up for healthcare data. The following controls are not aspirational — they are implemented, tested, and independently verified.

Request security docs Subprocessor list

Encryption at rest: AES-256 on all PHI
Encryption in transit: TLS 1.3 minimum (1.2 disabled)
Automatic key rotation every 90 days
BAAs signed with all subprocessors before any PHI is processed
SOC 2 Type II target · audit Q4 2026 · report Q1 2027 — audit not yet started
ISO 27001:2022 — 60+ Annex A controls implemented (see /security/iso-27001)
Independent penetration test scheduled prior to GA
DAST + SAST scans on every release
Vulnerability disclosure: [email protected]
Public subprocessor list, updated within 30 days of any change
Zero-trust internal network · every service authenticated

Patient Privacy Firewall · ADR-036

Your patients never become training data. Not for ours. Not for anyone.

Patient data is architecturally separated from every research query, curation pipeline, and AI training process. Not a policy statement — enforced at the database level with hard access controls and immutable audit trail.

Segregated at DB layer

Patient data lives in a separate table flagged is_patient_data=true. No research query, recommendation engine, or AI pipeline can access it by default.

Default queries exclude patient data

The evidence retrieval engine never queries patient data in its default mode. Patient context is opt-in, per-session, with explicit clinician action.

Audit-trailed access only

Patient data accessed for clinical queries via audit-logged CLI which creates immutable log entries (requester, timestamp, purpose).

Never in exports or public indices

Excluded from SKOS terminology exports, public faceted indices, benchmark datasets, and any aggregate reporting without explicit consent.

Certifications roadmap

Where we are. Where we are going.

We publish the roadmap publicly because accountability requires transparency.

HIPAA-aligned controls + BAA day 1

✓ Live

BAA available on every paid plan

FDA non-Device CDS framing (Cures Act § 3060)

✓ Live

Legal position; FDA has not issued a determination

ISO 27001:2022 · 60+ Annex A controls

In progress

Target certification Q4 2026 — see /security/iso-27001

PSYPACT 51-state tracker · APIT expiry alerts

✓ Live

Daily authoritative refresh

SOC 2 Type II

Audit target Q4 2026

Audit not yet started; report delivery target Q1 2027

SOC 3 (public report)

Q2 2027

Follows SOC 2 Type II report delivery

HITRUST CSF

2027

For enterprise / health system contracts

Data residency

You choose where your data lives. We enforce it.

US sovereignty for American clinicians. GDPR sovereignty for European practices. No ambiguity.

Residency

US-only

AWS us-east-1 + us-west-2. All patient data stays inside US borders.

Residency

Per-clinic isolation

Multi-tenant logical segregation. Database-level tenant_id on every row.

Ethical positioning

No conflict of interest. Zero.

Vertix is owned by THE HUB INITIATIVE SLU, bootstrapped in Andorra. We have no investors from pharma, insurance, or advertising. Our only financial interest is clinicians paying for the product because it is valuable.

This matters because clinical decision support funded by the companies selling the treatments it recommends has a structural conflict no policy statement can resolve. Ours does not.

Bootstrapped — THE HUB INITIATIVE SLU, Andorra. No VC, no PE, no strategic investors.

Zero pharma funding — No pharmaceutical manufacturer holds equity, advisory comp, or contracted influence.

Zero insurer funding — No health insurer, MCO, or PBM has any financial relationship with Vertix.

Zero advertiser funding — No advertising revenue. No sponsored content. No data brokering.

Just evidence — Recommendations derived exclusively from peer-reviewed literature, guidelines, and government sources.

Security FAQ

The questions compliance officers always ask.

Is the BAA included in my plan?

Yes. Every paid plan includes a Business Associate Agreement at no extra charge, available for countersignature from day 1. Request from Settings → Compliance → BAA, or email [email protected].

Where is my data stored?

AWS us-east-1 + us-west-2. All patient data stays inside US borders. Vertix is currently available only to licensed mental-health professionals in the United States — international residency options are not offered today.

Who has access to my patient data?

Only you and co-clinicians you authorize via RBAC. Vertix staff never access PHI except under documented support requests with your written authorization, logged immutably. Our AI models are never trained on your patient data.

What happens in a breach?

Per HIPAA Breach Notification Rule (45 CFR § 164.400-414), affected covered entities notified within 60 days of discovery. Internal SLA: 48 hours. Full incident report with root cause, affected records, containment, and remediation.

Can I export all my data?

Yes. Full portability in FHIR R4 (HL7 standard, Epic/Cerner compatible), JSON (raw structured), or PDF (human-readable). No lock-in, no export fees. Settings → Data → Export.

Are you SOC 2 certified?

Not yet. Vertix is SOC 2 Type II target, with audit expected to begin Q4 2026 and report delivery target Q1 2027. Until then, the ISO 27001 controls page documents the 60+ Annex A controls already implemented under ITSC-01. Enterprise customers can request the security questionnaire and subprocessor list under NDA. SOC 3 (public) planned for Q2 2027.

Ready to make compliance invisible?

Your BAA is waiting. Your subprocessor list is published. Your data never leaves your chosen region.

Request enterprise BAA Talk to compliance