Skip to main content
AAtlas
See a live renewal
Security & compliance

Built on healthcare-grade primitives before we had customers.

Benefit brokers handle PHI, SSNs, bank routing, and carrier contracts. Atlas treats every one of those as a first-class object. HIPAA-aware primitives. BAA on request. No offshoring. Hash-chained audit trail on every write. SOC 2 Type II and SAML SSO are on the enterprise roadmap — we don’t claim them until the attestation is in hand.

Talk to us about enterprise security security@velora.com
Four pillars

Hash-chained audit log

Every write is traceable

Every mutation records entity, action, actor, IP, timestamp and a recordHash for integrity verification. Agencies, entity types, actions, and date ranges are each indexed for fast queries and exports.

HIPAA-aware primitives

BAA available

PHI is scoped by tenant. Session tokens stored as HMAC-SHA256 hashes — plaintext tokens never persisted. BAA signed before production access. Structured BusinessAssociateAgreement model tracks every signed counterparty.

Scoped API keys

Revocable per-key with prefix identification

Every API key stored as a hash with an 8-char prefix for identification. Scopes enforced per-endpoint (e.g. contacts:read, deals:write). Per-key expiresAt and lastUsedAt for rotation hygiene.

US-only data plane

Neon Postgres · Cloudflare R2

Customer data and document uploads are confined to US regions. No offshoring, no third-country transfers.

Controls in production

What actually runs in production.

Identity & access

  • HMAC-SHA256 hashed session tokens (plaintext never at rest)
  • Google + Microsoft OAuth (working today); SAML 2.0 SSO on enterprise roadmap
  • TOTP MFA (RFC 6238) — enroll / confirm / verify / disable; 10 single-use HMAC-SHA256-hashed recovery codes per user; secret encrypted at rest
  • Role-based access: Owner / Admin / Advisor / Viewer / Employee
  • API keys scoped per-endpoint, revocable per-key with rotation timestamps

Data protection

  • At-rest encryption (AES-256) on Postgres + R2 object storage (provider-managed)
  • TLS in transit
  • Customer data partitioned by agencyId; every query scoped
  • Field-level encryption via @velora/crypto on sensitive identifiers (e.g. FEIN)

Audit & observability

  • Append-only AuditLog on every mutation with recordHash integrity field
  • Per-user action history: entity, action, IP, userAgent, timestamp
  • Indexed by agencyId / userId / entityType+entityId / action / createdAt
  • SIEM-ready bulk export: GET /api/v1/audit/export emits NDJSON (Splunk / Elastic / Sumo / Datadog ingest format) with cursor pagination

Change management

  • Vercel rollback window on every deploy
  • CI typecheck + test suite required on every PR (test.yml)
  • Schema migrations applied via prisma migrate, manually approved by operator before prod apply
  • Per-agency feature flags (enabled / percentRollout / allow-list / deny-list) with deterministic per-user bucket hashing for staged capability rollouts

Compliance & governance

  • HIPAA BusinessAssociateAgreement tracked as first-class model
  • ComplianceDeadline tracking for 5500, 1094/1095, ERISA notices
  • BAAs executed with every PHI-touching subprocessor before production access
  • Subprocessors published and kept current

On the enterprise roadmap — not yet shipped

  • SOC 2 Type II attestation (in progress; no report available yet)
  • SAML 2.0 SSO (Okta / Google Workspace / Microsoft Entra)
  • SCIM provisioning
  • IP allowlisting per agency
Security questionnaire

Need a SIG-Lite, CAIQ, or custom vendor questionnaire?

Email security@velora.com with your template. We return completed questionnaires within two business days for active and pipeline deals.