Compliance · Technical SOPs

Where to look. Down to the file path.

For each control program we live under, this page documents — at the auditor's resolution — which file in our codebase, which API endpoint, which database table, and which on-chain audit anchor implements each required control. Every cell on this page maps to a verifiable artifact in production. The companion document /compliance/threaded.html describes each program for non-technical readers; this page is the technical evidence.

Phase 1 honesty

"Self-attested" means the controls below are implemented in production and we follow the program. "Pending" means the first independent audit cycle has not yet started. "Active" means a verifiable third-party result or public registration exists today. The independent firm name does not appear on this page until they have signed an engagement letter.

An auditor can verify any control listed here by running the Verify command shown beneath it, or by inspecting the linked file path in the WebOrb monorepo. Every paid customer or regulator can request gated documents through the regulator portal.

§ 01 · HIPAA

Privacy, Security, & Breach Notification. Implemented end-to-end.Self-attested

45 CFR §§ 160.103, 164.302–318 (Security), 164.500–534 (Privacy), 164.400–414 (Breach Notification). Conceptual Healthcare Corporation acts as both covered entity (clinical surfaces) and business associate (DataVault, AI inference, audit chain).

Administrative safeguards · 164.308

§164.308(a)(1)(ii)(D) Information system activity review. Every PHI access, authentication event, prescription action, and token transaction is logged in app/services/audit_logger.py with HMAC-SHA256 chained signatures. The chain is verifiable independently — see CH-IP-038.

§164.308(a)(3) Workforce security · authorization. Role-based access enforced by app/permissions/permission_engine.py. Roles in orb-ios:CEOIdentityManager persist to Keychain for reinstall recovery.

§164.308(a)(5) Security awareness · training. Onboarding curriculum at /var/www/ch-v2/ui_kits/university/ with completion tracking in guardian_user_training table.

§164.308(b) Business associate contracts. Every BAA is hashed (SHA-256) and bound into the operator's mTLS certificate as an X.509 OID extension per CH-IP-043. The orchestrator daemon (CH-IP-046) refuses any tier1 (PHI) software update whose signing operator does not carry a valid BAA hash.

Physical safeguards · 164.310

§164.310(a)(1) Facility access. Conceptual Healthcare Corp HQ in Destin, FL operates the primary chain validator (ch-validator-1) under physical access controls; the chain auditing key never leaves the facility. Production deployments use cloud-native compute over CH VPN.

§164.310(d)(2)(i) Disposal of PHI. AES-256-GCM encryption keys are destroyed on patient delete via app/services/encryption_manager.py:destroy_key; data at rest is rendered cryptographically unrecoverable.

Technical safeguards · 164.312

§164.312(a)(1) Access control · unique user. Every request authenticates via JWT (app/auth/jwt_handler.py) bound to chMemberId. No service-account login to PHI surfaces.

§164.312(a)(2)(i) Automatic logoff. 5-minute idle timeout enforced in orb-ios:SessionManager; same on web via _shared/ch-page.js.

§164.312(a)(2)(iv) Encryption at rest. AES-256-GCM via app/services/message_encryption.py. All PHI fields encrypted before persistence.

§164.312(b) Audit controls. HMAC-chained audit log; tamper detectable by re-deriving each entry's signature from the previous. Chain entries posted to chain.conceptualhealth.com.

§164.312(c)(1) Integrity. Every PHI write is signed; every read verifies the signature. Implementation: chagent/edge.py:close_task + chagent/orchestrator.py:_emit_chain_audit_event.

§164.312(d) Person/entity authentication. Biometric + PIN MFA on iOS; Ed25519 keypair on every edge node and every operator.

§164.312(e)(1) Transmission security. TLS 1.3 with X25519 key agreement. Internal-network traffic over CH VPN (Noise IK + ChaCha20-Poly1305). FIPS build swaps to AES-256-GCM with byte-identical wire format — see CH-IP-044.

Breach Notification · 164.400-414

§164.404 Patient notice. Notification within 60 days of discovery via in-app push, secure-message, and registered mail for the affected cohort. The transparency report at trust/transparency-report.html publishes every notifiable breach with detection timestamp, OCR disclosure timestamp, root cause, and remediation. Today the count is zero.

§164.408 HHS Secretary notice. Single-incident: within 60 days. Annual summary by Mar 1 for incidents affecting <500 individuals.

Verify

# Inspect the HMAC-chained audit log directly sudo -u postgres psql -d guardianorb -c \ "SELECT id, action, encode(prev_hash, 'hex'), encode(this_hash, 'hex') FROM audit_log ORDER BY id DESC LIMIT 5" # Verify every chain entry's signature link python3 -m chagent.audit_verify --since 24h

§ 02 · HITRUST CSF r2

156 controls, mapped. Tier-aware dispatch enforces them at runtime.Pending

HITRUST CSF v11. Mapping: CH-IP-045 defines a three-tier conformance standard (CH-EP0/EP1/EP2) that maps to HITRUST e1 / i1 / r2 respectively, enforced by a single can_dispatch function at workload-routing time.

Implementation

CH-EP0 (HITRUST e1) de-identified compute on volunteer hardware. Required: full-disk encryption, Secure Boot, signed audit log shipping. Verified at heartbeat by chagent/edge.py:heartbeat.

CH-EP1 (HITRUST i1) limited PHI under signed BAA. All EP0 + FIPS 140-3 module + hardware-backed keys + 5-min auto-logoff + BAA hash in mTLS cert. Enforced by ch-orchestrator/main.go:verifyEvent.

CH-EP2 (toward HITRUST r2) full PHI inference under TEE attestation. All EP1 + per-session remote attestation (NVIDIA CC / AMD SEV-SNP / Intel TDX / AWS Nitro Enclaves) + ephemeral memory. Implementation present; cloud-vendor attestation evidence registry in guardian_edge_attestation table.

Status

Engagement with a HITRUST-authorized External Assessor pending Phase 2. The mapping document is published; the live tier check runs on every dispatch today.

Verify

# Live tier of every registered edge node curl https://conceptualhealth.com/edge/nodes | jq '.nodes[] | {tier, services, baa_signed: .capabilities.baa_signed}' # Live dispatch policy curl https://conceptualhealth.com/ches/policy | jq

§ 03 · SOC 2 Type II

Trust Services Criteria. All five.Pending

AICPA Trust Services Criteria 2017 (revised 2022). Scope: production surfaces. First Type II report covers a continuous 12-month observation window beginning Phase 2 launch.

Common Criteria implementation

CC1.x · Control Environment CEO-signed governance posture; operator keys logged in guardian_orchestrator_operators; revocations are append-only events.

CC6.x · Logical/Physical Access JWT auth, role checks, MFA on iOS, BAA gate at orchestrator. CH VPN (CH-IP-044) for internal east-west.

CC7.x · System Operations Every container swap is signed, hash-anchored, logged. Public software-updates audit lane.

CC8.x · Change Management No SSH-and-edit production. Updates flow through ch-control → ch-orchestrator → atomic systemd swap with rollback. Reference: CH-IP-046.

CC9.x · Risk Mitigation 5%-sample cross-node verification (chagent/edge_verify.py); HMAC stake slashing on signature mismatch.

Verify

# Software-updates audit lane (the SOC 2 CC8 evidence) curl https://chain.conceptualhealth.com/api/v1/chain/updates | jq # Edge-task verification protocol (CC9) sudo -u postgres psql -d guardianorb -c \ "SELECT verification, count(*) FROM guardian_edge_tasks GROUP BY verification"

§ 04 · FIPS 140-3

Cryptographic modules. Validated primitives.Self-attested

NIST CMVP. All cryptographic primitives use FIPS 140-3 validated implementations. Module-library cert is vendor-issued; system cert pending.

Primitives in use

AES-256-GCM · data at rest (app/services/message_encryption.py) · data in transit (CH VPN FIPS build via build-tag fips).

ChaCha20-Poly1305 · CH VPN AEAD (non-FIPS build, byte-identical wire to AES-GCM build).

Ed25519 · operator keys, edge-node keys, response signatures (ch-orchestrator/main.go, edge-agent-mac/main.go).

X25519 · key agreement for CH VPN handshake and TLS 1.3.

SHA-256, SHA-3-256 · audit-chain entries, image manifests, BAA hashes, patent disclosures.

HMAC-SHA256 · audit-log chain links (app/services/audit_logger.py), TURN credential derivation.

Verify

# Confirm the active TLS cipher suites are FIPS-aligned openssl s_client -connect conceptualhealth.com:443 -tls1_3 -ciphersuites 'TLS_AES_256_GCM_SHA384' </dev/null 2>&1 | grep 'Cipher :' # CH VPN AEAD selection (build-tag-driven) strings /home/lahtir/WebOrb/ch-vpn/build/chvpn-echo | grep -E 'AES-256-GCM|ChaCha20'

§ 05 · NIST Cybersecurity Framework 2.0

Govern · Identify · Protect · Detect · Respond · Recover.Self-attested

NIST CSF 2.0 (Feb 2024). Applied across our entire compute footprint, with the Govern function added to the previous CSF 1.1 set.

Mapping

GV.OC Organizational context. CEO-signed governance posture; operator pubkey list in /etc/ch-orchestrator/config.json.

ID.AM Asset management. Every container has a SHA-256 image hash + tier label + patent ref label, recorded in /var/lib/ch-images/MANIFEST.log.

PR.AC Access control. JWT, MFA, BAA gate, mTLS with BAA-OID extension.

PR.DS Data security. AES-256-GCM at rest, TLS 1.3 in transit, key shred on revoke.

PR.IP Information protection processes. Atomic container swap with rollback (CH-IP-046); no in-place edits.

DE.CM Continuous monitoring. 4 nightly linters (consistency, dead-link, brand, a11y). Logs at /home/lahtir/logs/.

RS.RP Response planning. Incident playbook in ops/runbooks/; chain-anchored event log auto-attributes patient impact via CH-IP-046 §4.

RC.RP Recovery planning. Last-known-good container kept hot for instant rollback; PostgreSQL daily backup with 30-day retention; PITR via WAL archive.

Verify

# Run the four nightly linters live bash /home/lahtir/WebOrb/backend/scripts/integrity/run_nightly.sh # Recover-from-rollback drill (orchestrator action: rollback) ch-control rollback --service ch-concierge --baa-hash $BAA_HASH

§ 06 · PCI DSS v4.0

SAQ-D scope. No PAN on our infrastructure.Pending

PCI Security Standards Council DSS v4.0 (March 2022). Scope: SAQ-D (service provider). Patient and clinic card payments are routed through a PCI-validated processor; Conceptual Health systems never see the PAN, CVV, or magstripe.

Implementation

Req 1, 2 Network segmentation. CH VPN tenant-tag enforces per-tenant isolation in the AEAD header (CH-IP-044). Default-deny on all production firewalls.

Req 3 Protect stored cardholder data. We do not store cardholder data. Tokens only.

Req 4 Encrypt transmission. TLS 1.3 with X25519 + AES-256-GCM; HSTS preload on all customer-facing domains.

Req 6.5 Secure SDLC. Every deploy is operator-Ed25519-signed; every image is hash-anchored; every change is audit-logged. CH-IP-046.

Req 8 Identify and authenticate users. JWT + MFA + BAA-bound certificates; service accounts disabled.

Req 10 Log access. HMAC-chained audit log; tamper-evident; published quarterly.

Req 11 Test security. Annual third-party penetration test scheduled with Phase 2.

Verify

# Confirm no PAN ever touches our DB sudo -u postgres psql -d guardianorb -c \ "SELECT count(*) FROM information_schema.columns WHERE column_name ILIKE '%pan%' OR column_name ILIKE '%cardnumber%'" # (must return 0)

§ 07 · FDA 21 CFR Part 11

Electronic records, electronic signatures.Self-attested

21 CFR Part 11 (1997). Scope: clinical research data submitted to or held under FDA jurisdiction. Used in any data-marketplace cohort that backs a clinical study.

Implementation

11.10(a) Validated systems. Every container image is hash-pinned, signed, and the chain-anchored audit lane records the version that produced every clinical AI suggestion (CH-IP-046 §4).

11.10(b) Accurate copies. PHI export is byte-identical via app/services/uscdi_export.py; FHIR R4 endpoint returns USCDI v3 + receipt hash.

11.10(c) Record retention. 7-year minimum; backup retention via scripts/backup_db.sh (30-day rolling) + offsite cold archive.

11.10(d) Limited access. Role-gated on PermissionEngine; physician reviewer queue under admin token.

11.10(e) Secure audit trails. HMAC-SHA256 chained log; chain-anchored per CH-IP-038.

11.50 Signature manifestations. Ed25519 signatures on every reviewed clinical case, with reviewer credentials, timestamp, and meaning of signature recorded.

11.70 Linking signatures to records. Signature is bound to the record's SHA-256 hash; tampering with record breaks signature verification.

Verify

# Audit-chain integrity check python3 -m chagent.audit_verify --full # Signature link on a clinical case sudo -u postgres psql -d guardianorb -c \ "SELECT case_id, encode(reviewer_signature, 'hex'), reviewer_pubkey FROM clinical_review_signatures LIMIT 5"

§ 08 · DEA EPCS

Electronic Prescriptions for Controlled Substances.Pending

21 CFR §§ 1300, 1304, 1306, 1311. Required before any Schedule II–V e-prescribing goes live.

Implementation

Two-factor authentication. One factor cryptographic (FIDO2 / passkey), one factor biometric. iOS Orb implementation in orb-ios:AuthManager; web in app/auth/mfa_service.py.

Identity proofing. NIST IAL-2 equivalent at registration: government-ID image + biometric match + address verification. Records in guardian_id_proofing table with 7-year retention.

Two-token signing. Each EPCS prescription requires the prescriber's biometric + their hardware-bound credential. Signed with Ed25519; hash anchored on chain.

Audit logs. Every EPCS action — create, transmit, refill, cancel — recorded in tamper-evident HMAC-chained log.

Status

Mechanism implemented end-to-end and tested in staging. The first DEA-approved EPCS auditor engagement is required before EPCS go-live. Until that audit is complete, EPCS is off in production.

§ 09 · FinCEN MSB · BSA

Money Services Business · written compliance program.Pending

31 CFR §§ 1010, 1022. Required before hc.exchange goes live with public spot trading.

Implementation

KYC / CDD. Identity verification at signup; CIP records in exchange_wallet_attestations.

OFAC screening. Real-time check against the OFAC SDN list at every onboarding and at every withdrawal.

SAR filing. Suspicious-activity rules in app/compliance/sar_engine.py; flagged events queued for the BSA Officer.

CTR filing. Currency transactions over $10K aggregated and filed.

Written compliance program. See BSA program (gated).

§ 10 · 21st Century Cures Act

Information blocking · USCDI · FHIR.Self-attested

42 USC 300jj-52; 45 CFR Part 171. Effective Apr 5, 2021 (and revised since).

Implementation

USCDI v3 export. Every patient can download their full record in the format they request. Endpoint: /api/v1/patient/me/export?format=uscdi_v3.

FHIR R4 API. SMART on FHIR app launch; OAuth 2 / OIDC flow; data scopes per the Standardized API. Endpoint: /fhir/r4/.

Individual access. Free, immediate, in the format requested. No fees, no friction.

No information-blocking practices. Per app/services/data_sharing.py, every export request is logged; refusals require an explicit Cures Act exception ID and are reviewed monthly.

§ 11 · WCAG 2.2 AA + Section 508

Every patient, every device.Self-attested

W3C WCAG 2.2 (October 2023); 29 USC 794d (Section 508). Patient-facing surfaces target Level AA, with AAA contrast where feasible.

Implementation

1.1.1 Non-text Content Every content image carries alt text; decorative images use alt="" or aria-hidden="true".

1.3.1 Info and Relationships Semantic landmarks (<main>, <nav>, <header>) on every page; programmatic labels on every form input.

1.4.3 Contrast (Minimum) All body text meets AA 4.5:1; primary action buttons meet AAA 7:1 against the editorial bone background. Color tokens in /var/www/ch-v2/colors_and_type.css.

2.1.1 Keyboard Every interactive element reachable via Tab; onclick on <div> is linted out (CH a11y linter).

2.4.1 Bypass Blocks Skip-to-main-content link as the first focusable element on every page.

2.4.7 Focus Visible 2px focus ring on every interactive element via _shared/a11y.css.

2.5.5 / 2.5.8 Target Size Minimum 44×44 CSS pixel touch targets on patient surfaces.

3.1.1 Language of Page <html lang="en"> on every page.

3.3.3 / 3.3.4 Error Suggestion / Prevention Inline form-error messages with screen-reader announcements; financial transactions require explicit confirmation.

4.1.2 Name, Role, Value Every custom widget exposes accessible name + role via ARIA; native HTML elements preferred.

Verify

# Run the in-house WCAG linter (HIGH must be 0) python3 /home/lahtir/WebOrb/backend/scripts/integrity/check_a11y.py # VPAT 2.4 publication scheduled with first independent accessibility audit (Phase 2)

§ 12 · 42 CFR Part 2 (SUD)

Substance-use records · elevated consent.Self-attested

42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records). Scope: any clinical record marked as SUD-treatment-related.

Implementation

Per-disclosure consent. SUD-tagged records cannot be released without an explicit consent record in guardian_disclosures referencing this specific recipient and purpose. The consent itself is signed by the patient's GuardianOrb wallet.

Prohibition on re-disclosure. Every SUD record returned by the API carries the Part 2 notice header; receiving systems are bound by acceptance. Verifiable via response audit trail.

Encryption. SUD-tagged columns are double-encrypted: AES-256-GCM at the field level, plus the cohort-level encryption key. Patient revoke triggers double-key destruction.

Pull a document.

Every gated artifact named on this page is available through the regulator portal. Engineering questions: open an issue in github.com/ConceptualHC/WebOrb. Audit-firm engagement letters: audits@conceptualhealth.com.

Regulator portal → Attestations status Transparency report

"Integrity in all we do."