VProGo

Getting your facility ready…

Trust & Security

VProGo manages sensitive behavioral-health data for treatment facilities. Security and privacy aren’t a feature bolted on afterward — they’re enforced in the platform itself and verified continuously. Here’s how.

Compliance posture

Our framework alignment. We describe our posture honestly — alignment and in-progress work are labeled as such.

SOC 2 Type II

Aligned

Controls are mapped to the SOC 2 Trust Services Criteria and continuously monitored. A Type II examination is in progress.

HIPAA / HITECH

Compliant

VProGo operates as a Business Associate. Administrative, physical, and technical safeguards are implemented per the HIPAA Security and Privacy Rules.

42 CFR Part 2

Compliant

Substance-use-disorder records receive the heightened protection and redisclosure controls required by 42 CFR Part 2.

Continuous control monitoring

Our controls aren’t checked once a year — an in-house engine probes our security posture automatically and records the evidence trail.

8
automated control tests
July 2, 2026
last automated scan

How we protect your data

Encryption everywhere

TLS 1.2+ in transit and AES-256 at rest, with additional application-layer field encryption on designated sensitive columns. Backups are encrypted.

Tenant isolation

Per-facility data isolation is enforced in the database itself with Row-Level Security — not just in application code — so one facility can never see another’s data.

Access control & MFA

Least-privilege, role-based access. Multi-factor authentication is enforced on accounts, and privileged ("god-tier") access is restricted and fully audited.

Auditing & monitoring

Security-relevant actions are written to an immutable audit trail, with PHI access flagged. An in-house engine probes our security posture automatically every day.

Hardened infrastructure

Hosted on SOC 2 Type II–certified infrastructure (Supabase, Vercel). Secrets live in managed secret stores, never in source code.

Minimum necessary

PHI is used only to deliver the contracted services and only the minimum necessary for the task. VProGo never sells PHI or uses it for its own marketing.

Subprocessors

The third-party services that may process data on VProGo’s behalf. Subprocessors that may handle PHI are required to execute a Business Associate Agreement before production use.

SubprocessorPurposeData locationPHITheir attestation
Alleva EMREMR integration — patient data syncCustomer Alleva instanceMay process PHI
Kipu EMREMR integration — patient data syncCustomer Kipu instanceMay process PHI
VercelApplication hosting, CDN, edge functionsGlobal edgeMay process PHISOC 2 Type II
CloudflareDNS / DDoS / CDNGlobalNo PHISOC 2 Type II
GitHubSource control, CI/CDUSNo PHISOC 2 Type II
StripePayment processingUSNo PHISOC 2 Type II

Published policies

Selected policies we make publicly available. Our complete governance library is available under NDA.

Business Associate Agreement (template)

HIPAA

Vendor / Subprocessor Management

Third Parties

Frequently asked

Is VProGo HIPAA compliant?+

Yes. VProGo handles Protected Health Information as a Business Associate and implements the administrative, physical, and technical safeguards required by the HIPAA Security and Privacy Rules. We sign a Business Associate Agreement (BAA) with every covered-entity customer.

Are you SOC 2 certified?+

VProGo is aligned with the SOC 2 Trust Services Criteria and continuously monitors its controls; a SOC 2 Type II examination is in progress. We do not claim a completed certification we have not yet earned. The full report is available under NDA once issued.

How is one facility’s data kept separate from another’s?+

Isolation is enforced at the database layer with Row-Level Security policies, so access is restricted by tenant on every query — independent of application code. This is verified automatically by our continuous control monitoring.

Do your subprocessors sign BAAs?+

Any subprocessor that may process PHI is required to execute a Business Associate Agreement before production use. Our subprocessor list is published below and maintained in a managed vendor registry.

How do you handle a security incident or breach?+

We maintain a documented incident-response and breach-notification process. Affected covered entities are notified without unreasonable delay and within the timeframe required by the governing BAA, with the information they need to meet their own obligations.

Where can I get your full security documentation?+

The complete package — SOC 2 report (when issued), full policy set, penetration-test results, and detailed control evidence — is available to customers and prospects under NDA. Use the request button below.

Need the full security package?

Customers and prospects can request our complete documentation under NDA — SOC 2 report (when issued), full policy library, penetration-test results, and detailed control evidence.

Request documentation