Effective Date: March 28, 2026 | Version 1.0
Information Security Policy
Verilexa maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of all systems and data. This policy describes our security controls and practices in support of SOC 2 and HIPAA compliance.
1. Encryption
In Transit
All data transmitted between clients and servers is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age, including subdomains, with preload enabled.
At Rest
Database encryption is managed by our infrastructure provider. OAuth integration tokens are encrypted using AES-256-GCM with random initialization vectors and HMAC authentication tags. Encryption keys are stored securely in hosting environment configuration and never committed to source control.
2. Access Controls
- Authentication: Session-based authentication with HTTP-only cookies, managed by Supabase Auth.
- Row-Level Security: 179+ PostgreSQL RLS policies ensure users can only access their own data at the database layer.
- Application Guards: Transitive access checks verify ownership from resource to case to user on every request.
- Admin Controls: Administrator access is verified by user ID (not email) to prevent privilege escalation.
- API Security: Internal endpoints require secret-based authentication. Webhook endpoints verify HMAC-SHA256 signatures using constant-time comparison.
For full details, see our Access Control Policy.
3. Security Headers
All HTTP responses include the following protective headers:
| Header | Value | Purpose |
|---|---|---|
| X-Frame-Options | DENY | Prevents clickjacking |
| X-Content-Type-Options | nosniff | Prevents MIME-type sniffing |
| Referrer-Policy | strict-origin-when-cross-origin | Controls referrer information |
| Permissions-Policy | camera=(), microphone=(), geolocation=() | Restricts browser APIs |
| Content-Security-Policy | Restrictive policy | Limits resource loading sources |
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Enforces HTTPS |
4. Audit Logging
All security-relevant events are captured in a multi-layer audit logging system:
- Event Capture: Timestamp (server-generated), user ID, event type, source, risk level, and metadata.
- PII Redaction: Sensitive fields (SSN, credit card, phone, DOB, medical records, API keys, tokens) are automatically redacted before storage.
- Dual Persistence: Logs are stored in both the primary database and a Redis stream for reliability.
- Agent Audit Trail: All AI agent actions are logged separately with before/after state snapshots, risk levels, and approval status.
5. Input Validation
All user input is validated using type-safe schemas (Zod) before processing. Invalid input returns structured error responses without exposing internal system details. All database queries use parameterized statements to prevent injection attacks.
6. AI Security
- All AI outputs are wrapped in an immutable advisory compliance envelope before reaching the user interface.
- High-risk AI agent actions require explicit user approval before execution.
- A dedicated compliance engine enforces advisory mode with confidence scoring, source attribution, and explainability on every output.
- Courtroom Mode restricts AI features during live proceedings to prevent unauthorized data capture.
7. Incident Response
Verilexa maintains an incident response plan with the following severity classifications:
| Severity | Description | Response Time |
|---|---|---|
| Critical | Active data breach, PHI exposure | Within 1 hour |
| High | Suspected unauthorized access | Within 4 hours |
| Medium | Policy violation, unusual pattern | Within 24 hours |
| Low | Minor security event | Within 72 hours |
Breach notifications are issued within 60 days per HIPAA requirements.
8. Vulnerability Management
- Annual penetration testing by qualified third parties.
- Continuous automated dependency vulnerability scanning.
- Critical vulnerabilities patched within 72 hours of disclosure.
9. Business Continuity
- Automatic daily database backups managed by our infrastructure provider.
- Recovery Time Objective (RTO): 4 hours.
- Recovery Point Objective (RPO): 24 hours.
- Quarterly backup restoration testing.
10. Third-Party Security
All vendors processing data maintain appropriate security certifications. Business Associate Agreements are executed with vendors handling Protected Health Information. Vendor security posture is reviewed annually.
11. Reporting Security Issues
To report a security vulnerability or incident, contact security@verilexa.com.