Effective Date: March 28, 2026  |  Version 1.0

Information Security Policy

Verilexa maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of all systems and data. This policy describes our security controls and practices in support of SOC 2 and HIPAA compliance.

1. Encryption

In Transit

All data transmitted between clients and servers is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age, including subdomains, with preload enabled.

At Rest

Database encryption is managed by our infrastructure provider. OAuth integration tokens are encrypted using AES-256-GCM with random initialization vectors and HMAC authentication tags. Encryption keys are stored securely in hosting environment configuration and never committed to source control.

2. Access Controls

  • Authentication: Session-based authentication with HTTP-only cookies, managed by Supabase Auth.
  • Row-Level Security: 179+ PostgreSQL RLS policies ensure users can only access their own data at the database layer.
  • Application Guards: Transitive access checks verify ownership from resource to case to user on every request.
  • Admin Controls: Administrator access is verified by user ID (not email) to prevent privilege escalation.
  • API Security: Internal endpoints require secret-based authentication. Webhook endpoints verify HMAC-SHA256 signatures using constant-time comparison.

For full details, see our Access Control Policy.

3. Security Headers

All HTTP responses include the following protective headers:

HeaderValuePurpose
X-Frame-OptionsDENYPrevents clickjacking
X-Content-Type-OptionsnosniffPrevents MIME-type sniffing
Referrer-Policystrict-origin-when-cross-originControls referrer information
Permissions-Policycamera=(), microphone=(), geolocation=()Restricts browser APIs
Content-Security-PolicyRestrictive policyLimits resource loading sources
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preloadEnforces HTTPS

4. Audit Logging

All security-relevant events are captured in a multi-layer audit logging system:

  • Event Capture: Timestamp (server-generated), user ID, event type, source, risk level, and metadata.
  • PII Redaction: Sensitive fields (SSN, credit card, phone, DOB, medical records, API keys, tokens) are automatically redacted before storage.
  • Dual Persistence: Logs are stored in both the primary database and a Redis stream for reliability.
  • Agent Audit Trail: All AI agent actions are logged separately with before/after state snapshots, risk levels, and approval status.

5. Input Validation

All user input is validated using type-safe schemas (Zod) before processing. Invalid input returns structured error responses without exposing internal system details. All database queries use parameterized statements to prevent injection attacks.

6. AI Security

  • All AI outputs are wrapped in an immutable advisory compliance envelope before reaching the user interface.
  • High-risk AI agent actions require explicit user approval before execution.
  • A dedicated compliance engine enforces advisory mode with confidence scoring, source attribution, and explainability on every output.
  • Courtroom Mode restricts AI features during live proceedings to prevent unauthorized data capture.

7. Incident Response

Verilexa maintains an incident response plan with the following severity classifications:

SeverityDescriptionResponse Time
CriticalActive data breach, PHI exposureWithin 1 hour
HighSuspected unauthorized accessWithin 4 hours
MediumPolicy violation, unusual patternWithin 24 hours
LowMinor security eventWithin 72 hours

Breach notifications are issued within 60 days per HIPAA requirements.

8. Vulnerability Management

  • Annual penetration testing by qualified third parties.
  • Continuous automated dependency vulnerability scanning.
  • Critical vulnerabilities patched within 72 hours of disclosure.

9. Business Continuity

  • Automatic daily database backups managed by our infrastructure provider.
  • Recovery Time Objective (RTO): 4 hours.
  • Recovery Point Objective (RPO): 24 hours.
  • Quarterly backup restoration testing.

10. Third-Party Security

All vendors processing data maintain appropriate security certifications. Business Associate Agreements are executed with vendors handling Protected Health Information. Vendor security posture is reviewed annually.

11. Reporting Security Issues

To report a security vulnerability or incident, contact security@verilexa.com.