The receipts
Trust is verified, not promised.
Every certification we hold. Every patent we filed. Every audit letter, every dollar moved through the network, every uptime second of every system — public, signed, and continuously updated. If we say it, we publish it.
Four pillars
Every claim we make falls under one of four verifiable buckets.
If a statement on this site doesn't trace back to one of these — flag it via contact. We treat ambiguous claims as bugs.
Third-party attestations
Independent auditors test our controls and publish letters. We can't pay them to find nothing — they're contracted to find everything. Letters here are unredacted, signed PDFs from the issuing firm.
Operational telemetry
Live, second-by-second state of the systems patients and clinicians depend on. No "incident in progress" pages — the actual number, updated as it changes.
Documents you can hold us to
What we promise, in plain language, with version history. Every document on this list is public, redlinable on request, and binding on Conceptual Healthcare Corporation
Things we publish for you to use
Patents we won't sue with. Whitepapers explaining the math. Open data dictionaries. A working assumption that if it doesn't compromise a patient or break a control, it should be public.
Receipts
Don't trust us. Read the file.
A sample of what's behind the four pillars. Tagged by what kind of receipt it is. Click through for the source PDFs, live dashboards, and signed source documents.
SOC 2 Type II — Trust Services Criteria
Issuer: A-LIGN ASSURANCE. Scope: Security, Availability, Confidentiality, Processing Integrity, Privacy. Audit period: 12 months trailing.
Open registry entry →HITRUST CSF r2 Certification
Issuer: HITRUST Authorized External Assessor. Includes NIST 800-53 Rev. 5, ISO 27001/27002 mapping, HIPAA security rule.
Open registry entry →Vault uptime & cryptographic seal
Per-shard storage availability, KMS rotation cadence, last-witnessed root hash. Updated every 30 seconds from production.
Open live dashboard →Ledger settlement & HCC issuance
Total HCC issued, paid, redeemed, in escrow. Per-axis split, top-100 contribution events of the trailing day, regulator queries served.
Open live dashboard →Patent non-assertion covenant
1 patent filed (63/921,717). We will not sue any organization providing care to under-served populations using methods covered by these claims. Binding.
Open covenant →Privacy policy + DPA bundle
What we collect, why, who can see it, how long we hold it, and how to remove it. Versioned in git; redlines published with each change.
Open privacy policy →Standing promises
Three things we won't do, in writing.
Every health-tech company can give you a privacy policy. We can give you a privacy policy plus three things we have legally bound ourselves not to do, ever, regardless of who asks.
We will never sell patient data.
Not to advertisers, not to brokers, not to insurers, not to government, not in aggregate, not in any form. Bound in our charter; revocation requires unanimous board + 67% of patient-representative seats.
We will never charge patients for care.
The patient experience is free at the point of care, and free to use forever. Revenue comes from research access, employer wellness, regulator services — never from the human in the chair.
We will never lock data inside our system.
Every patient can export everything we hold about them, in FHIR R4, in one click. Every researcher dataset is reproducible from the published query plan. Portability is a control, not a courtesy.
Reviewing for your organization?
We'll send your security team a complete diligence packet — SIG Lite, HECVAT, latest SOC 2, ISO certs, BAA template, DPA, network diagrams, pen-test summary. Two business days.
Request diligence packet →Reporting an issue?
Vulnerability, content concern, missing receipt, broken claim. We treat trust bugs the same as code bugs — ticketed, assigned, resolved, post-mortemed. Public coordinated-disclosure window: 90 days.
Report a trust issue →