Trust · Attestations
Compliant today. Audited soon.
This page is the live registry of every control program that governs Conceptual Health® — the standard, the scope, who owns it inside the company, where it stands today, and what document a regulator or enterprise procurement team can pull. We honestly disclose the difference between "architected and self-attested" and "third-party-signed letter in hand." Eleven controls are in scope now; six more are on the roadmap with target windows below.
Phase 1 honesty banner
10 self-attested · 0 third-party signed · 11 Phase 2 pending.
"Self-attested" means we have architected, implemented, and internally validated the control program against the published standard. It does not mean an independent auditor has signed a letter. The path to a signed letter requires (a) the audit engagement and (b) the observation window. We have published target dates below and will move each row from "Self-attested" → "Engagement" → "Letter issued" with the date stamp and auditor name as it happens.
In scope now
The eleven control programs running today.
Security · Privacy
SOC 2 Type II
Trust Services Criteria 2017 — Security, Availability, Confidentiality, Privacy, Processing Integrity. Twelve-month audit period once the engagement begins. Status: self-attested · engagement pending.
Healthcare
HITRUST CSF r2
156 controls across 14 categories. 24-month certification validity. Status: self-attested · engagement pending.
Cryptography
FIPS 140-3
AES-256-GCM and ChaCha20-Poly1305 (data at rest). TLS 1.3 with X25519 (data in transit). Ed25519 signing for chain operations. SHA-256 and SHA-3-256 hashing. Status: compliant · vendor modules validated.
Healthcare · Federal
HIPAA — 45 CFR 160/164
Privacy Rule, Security Rule, Breach Notification Rule. BAA template at /legal/baa-template/. Notice of Privacy Practices at /legal/hipaa/. Status: compliant · operational.
Research · FDA
21 CFR Part 11
Electronic-records validation for clinical research data, signed audit trails, controlled-system-of-record posture. Status: self-attested · IRB validation in progress.
Controlled substances
DEA EPCS — 21 CFR 1300
Electronic prescribing of controlled substances: two-factor identity proofing for clinicians, two-token signing for each prescription. Status: self-attested · third-party identity-proof partner engaged.
Financial · Federal
FinCEN MSB Registration
31 CFR 1010 — KYC, AML, OFAC screening. State Money Transmitter License (MTL) matrix in progress; NMLS lookup will be published per state as licenses issue. Status: federal registration filed · state matrix in progress.
Financial · Card
PCI DSS v4.0 — SAQ-D
Cardholder-data environment scope. QSA engagement triggered with the first card-present clinic. Status: scoped · engagement pending.
Security · Operations
Annual penetration test
White-box plus black-box. Network, application, AI prompt-injection, BAA-as-code, edge-node verification. Findings → fixes → re-test → public summary in the Transparency Report. Status: annual cadence established.
Accessibility
WCAG 2.2 Level AA
Section 508 conformance, skip-link on every page, prefers-reduced-motion honored, 44×44 minimum touch targets, AAA where feasible. Tested with NVDA, JAWS, VoiceOver, TalkBack, Dragon. Statement at /legal/accessibility/. Chain-stamped scorecard at /proof/accessibility.html. Status: compliant · per-release validated.
Money-services
State Money Transmitter Licenses
Per-state MTL matrix tracking application status. License numbers will appear here as states issue. Status: matrix in progress · NMLS lookup pending issuance.
Roadmap — Phase 2 and beyond
What we'll be working toward, with dates.
| Standard | Scope | Target |
|---|---|---|
| FedRAMP Moderate | Federal government-customer authorization | Phase 2 + 18 months |
| ISO 27001 + 27701 | Information security + privacy management | Phase 2 + 12 months |
| FDA SaMD Pre-cert | Software-as-a-Medical-Device pathway for clinical features | Rolling · post Phase 2 |
| NCQA HEDIS | Healthcare Effectiveness Data and Information Set reporting | Phase 2 + 12 months |
| HITRUST AI Assurance | Clinical-AI controls — model governance, override audit, drift detection | Post Phase 2 |
| SOC 3 | Public summary report (post SOC 2 Type II) | After SOC 2 letter |
Document access
Regulators and enterprise procurement: come in.
Audit letters, control narratives, evidence libraries, and BAA-signed copies are available behind the NDA-gated regulator portal. On-chain attestations and governance log: chain.conceptualhealth.com/governance-log.html.
Anything inaccurate, ambiguous, or missing on this page? Write compliance@conceptualhealth.com — we'd rather correct the page today than relitigate the claim later.