VAI LogoVAI

    Security & Data Protection

    Your medical records are among the most sensitive documents you own. Here is exactly how we protect them — in plain English, not marketing copy.

    Implemented technical controls

    Encryption at rest and in transit

    All data is encrypted at rest using AES-256 and in transit using TLS 1.2+. Medical record files are stored in a private, encrypted object storage bucket — never in a public location.

    Private file access — no permanent public links

    We never expose a permanent public link to your medical files. Document access is gated by an ownership check on the server, so a file is served only to the account that owns it; packet exports use short-lived signed URLs that expire after 5 minutes. Sensitive account actions — refunds, account deletions, and admin operations — are recorded in an audit log.

    Row-level security — your data is yours only

    Every row in the database is protected by row-level security policies. Your records, conditions, drafts, and documents are accessible only to your authenticated account. Parse and extraction cache tables are scoped by file ownership — another user cannot read your parsed medical text. No other user can read your data through the app API without service-level credentials.

    Least-privilege access controls

    The client app only uses your user session key, which can only read and write data owned by you. Privileged service operations (like webhook processing) happen in isolated server-side edge functions, not in the browser.

    PHI-safe analytics

    Our internal analytics track product behavior (which features you use, when you complete a scan, whether you reached the strategy page) using counts, booleans, and UUID references only. Medical text, file names, extracted evidence, and diagnosis content are never stored in analytics systems.

    What we don't do

    Selling or sharing your data is not our business — and it never will be. We do not sell your data, and we do not share your medical records with any third party for their own use, advertising, or profit. The only sharing that happens is the AI inference required to power VAI's analysis, and we do not train AI models on your medical content. Your records are stored on US-based infrastructure, and inference is routed through OpenRouter (our LLM gateway) only to US-hosted model providers, which process each request under their own published policies.

    Controls at a glance

    • Private Supabase storage bucket (no public read access)
    • Ownership-checked server-side access for document files; 5-minute signed URLs for packet exports
    • Row-level security on all tables including parse/extraction caches
    • Cache tables scoped by file ownership — cross-user read is blocked
    • User-session-scoped API client in the browser
    • Service-role operations in isolated server-side edge functions only
    • Upload cacheControl: no-store — prevents intermediary caching of medical files
    • Input validation and file-type allowlisting on uploads
    • PHI-safe server logs — document UUID and byte counts only, no filenames or record text
    • PHI-safe analytics schema (allowlisted fields only, no free-text medical content)
    • US-based data storage and US-only AI model routing — no overseas processing of your records
    • Audit log entries for sensitive account actions — refunds, account deletions, admin user changes, and subscription modifications (table: audit_logs)

    Sub-processors

    We use the following service providers to operate VAI. Each processes data on our behalf under their own published privacy and security policies.

    • SupabaseDatabase, file storage, authentication, server-side functions
    • VercelApplication hosting and CDN
    • StripePayment processing for paid plans and one-time purchases
    • OpenRouterLLM gateway routing inference requests to upstream model providers
    • ResendTransactional email (account, billing, deadline reminders)
    • LoopsProduct email (announcements, account-event notifications)

    What this page is and is not

    This page describes technical controls we have implemented. It is not a compliance certification, a legal guarantee, or a HIPAA Business Associate Agreement. Regulatory compliance requires contractual, operational, and organizational steps that go beyond what any codebase can provide. If you have specific compliance requirements, please contact us at [email protected] before sharing sensitive data.

    VAI is intended for individual veterans processing their own medical records. In that use, you are the data subject — you are not creating a HIPAA covered-entity / business-associate relationship by uploading your records. If you intend to use VAI on behalf of a HIPAA-covered organization (a VSO, clinic, or other entity that handles other people's PHI), reach out at [email protected] before uploading.

    VAI is not a VA-accredited representative.

    VAI is educational software. We are not attorneys, claims agents, or Veterans Service Organization (VSO) representatives accredited by the U.S. Department of Veterans Affairs under 38 U.S.C. § 5901. We do not prepare, present, or prosecute claims on your behalf, and we do not represent you before the VA, the Board of Veterans' Appeals, or the Court of Appeals for Veterans Claims.

    You file your claim directly on VA.gov — or with a VA-accredited representative. Free accredited help is available: find a representative on VA.gov.

    VAI LogoVAI

    Educational preparation tool only. Not legal or medical advice. Not affiliated with the VA.