Getting your facility ready…
VProGo manages sensitive behavioral-health data for treatment facilities. Security and privacy aren’t a feature bolted on afterward — they’re enforced in the platform itself and verified continuously. Here’s how.
Our framework alignment. We describe our posture honestly — alignment and in-progress work are labeled as such.
Controls are mapped to the SOC 2 Trust Services Criteria and continuously monitored. A Type II examination is in progress.
VProGo operates as a Business Associate. Administrative, physical, and technical safeguards are implemented per the HIPAA Security and Privacy Rules.
Substance-use-disorder records receive the heightened protection and redisclosure controls required by 42 CFR Part 2.
Continuous control monitoring
Our controls aren’t checked once a year — an in-house engine probes our security posture automatically and records the evidence trail.
TLS 1.2+ in transit and AES-256 at rest, with additional application-layer field encryption on designated sensitive columns. Backups are encrypted.
Per-facility data isolation is enforced in the database itself with Row-Level Security — not just in application code — so one facility can never see another’s data.
Least-privilege, role-based access. Multi-factor authentication is enforced on accounts, and privileged ("god-tier") access is restricted and fully audited.
Security-relevant actions are written to an immutable audit trail, with PHI access flagged. An in-house engine probes our security posture automatically every day.
Hosted on SOC 2 Type II–certified infrastructure (Supabase, Vercel). Secrets live in managed secret stores, never in source code.
PHI is used only to deliver the contracted services and only the minimum necessary for the task. VProGo never sells PHI or uses it for its own marketing.
The third-party services that may process data on VProGo’s behalf. Subprocessors that may handle PHI are required to execute a Business Associate Agreement before production use.
| Subprocessor | Purpose | Data location | PHI | Their attestation |
|---|---|---|---|---|
| Alleva EMR | EMR integration — patient data sync | Customer Alleva instance | May process PHI | — |
| Kipu EMR | EMR integration — patient data sync | Customer Kipu instance | May process PHI | — |
| Vercel | Application hosting, CDN, edge functions | Global edge | May process PHI | SOC 2 Type II |
| Cloudflare | DNS / DDoS / CDN | Global | No PHI | SOC 2 Type II |
| GitHub | Source control, CI/CD | US | No PHI | SOC 2 Type II |
| Stripe | Payment processing | US | No PHI | SOC 2 Type II |
Selected policies we make publicly available. Our complete governance library is available under NDA.
HIPAA
Third Parties
Yes. VProGo handles Protected Health Information as a Business Associate and implements the administrative, physical, and technical safeguards required by the HIPAA Security and Privacy Rules. We sign a Business Associate Agreement (BAA) with every covered-entity customer.
VProGo is aligned with the SOC 2 Trust Services Criteria and continuously monitors its controls; a SOC 2 Type II examination is in progress. We do not claim a completed certification we have not yet earned. The full report is available under NDA once issued.
Isolation is enforced at the database layer with Row-Level Security policies, so access is restricted by tenant on every query — independent of application code. This is verified automatically by our continuous control monitoring.
Any subprocessor that may process PHI is required to execute a Business Associate Agreement before production use. Our subprocessor list is published below and maintained in a managed vendor registry.
We maintain a documented incident-response and breach-notification process. Affected covered entities are notified without unreasonable delay and within the timeframe required by the governing BAA, with the information they need to meet their own obligations.
The complete package — SOC 2 report (when issued), full policy set, penetration-test results, and detailed control evidence — is available to customers and prospects under NDA. Use the request button below.
Customers and prospects can request our complete documentation under NDA — SOC 2 report (when issued), full policy library, penetration-test results, and detailed control evidence.
Request documentation