Trust center
Security
Health data deserves a higher standard. This page describes the controls protecting the platform today and the compliance work on our roadmap stated plainly, without security theater.
Last updated:
- 01Network edgeTLS 1.2+, WAF, DDoS absorption
- 02ApplicationAuthN/AuthZ, input validation, audit logging
- 03DataAES-256 at rest, key management, least privilege
- Your health data
Infrastructure
The platform runs on hardened cloud infrastructure with network segmentation between public-facing services and data stores. Production access requires VPN plus hardware-key MFA, and infrastructure is defined as code so every change is reviewed and auditable.
Encryption
- In transit TLS 1.2+ everywhere, HSTS enforced; no plaintext endpoints.
- At rest AES-256 encryption for databases, object storage, and backups.
- Key management keys held in a managed KMS, rotated on schedule, never in code.
Authentication & access
Passwords are hashed with a modern memory-hard algorithm; multi-factor authentication is available to all users and required for staff. Internally we follow least privilege: clinicians see only their patients, and every access to health records is written to an immutable audit log.
Backups & resilience
Databases are backed up continuously with point-in-time recovery, and encrypted backups are replicated to a second region. Restores are tested on a schedule a backup that has never been restored is a hope, not a control.
Monitoring
Centralized logging, anomaly alerting on authentication and data-access patterns, and dependency scanning on every build. Alerts page an on-call engineer around the clock.
Incident response
We maintain a written incident-response plan with defined severity levels, an on-call rotation, and post-incident reviews. If an incident affects your data, we will notify you and regulators within the timelines required by applicable breach-notification law.
Responsible disclosure
We welcome good-faith security research. If you find a vulnerability, email security@vibimine.examplewith reproduction steps. Give us reasonable time to fix the issue before public disclosure, don't access other people's data, and we commit in return not to pursue legal action against good-faith research within these rules.
Compliance roadmap
Our roadmap, in order:
- SOC 2 Type I → Type II Independent audit of security controls.
- HIPAA readiness Completing the administrative, physical, and technical safeguards of the Security Rule and executing Business Associate Agreements with every vendor that touches PHI.
- State health-privacy laws Ongoing mapping of state-specific requirements (e.g. Washington My Health My Data).
Security contact
security@vibimine.example monitored by the security team. For privacy questions, see the Privacy Policy.
