Data Flow Diagram
Date: 2026-05-14 Scope: End-to-end data flows for the three Rōvn surfaces, Passport (worker), facility workflow layer (facility), Verified API + MCP (programmatic consumers). Posture: ASCII diagrams describe the deployed flows. Visual / poster-grade renders are a separate workstream.
PHI boundary legend: 🟥 PHI surface · 🟨 PHI-adjacent (token-scrubbed) · 🟩 zero-PHI
1. Worker onboarding flow (Passport /start)
WORKER (browser)
│
│ visits worker.rovn.to/start 🟩
▼
┌─────────────────────────┐
│ FastAPI route handler │
│ anon_intake_session │ 🟩
└────────────┬────────────┘
│
│ account creation
▼
┌─────────────────────────┐
│ AWS Cognito │ 🟨 (email + phone)
│ AuthKit + magic link │
└────────────┬────────────┘
│
│ IAL2 inquiry
▼
┌─────────────────────────┐
│ Persona (BAA, IAL2) │ 🟥 (gov ID, selfie)
│ persona_inquiries │
└────────────┬────────────┘
│
│ worker uploads license + cert images
▼
┌─────────────────────────┐
│ S3 PHI bucket │ 🟥 (KMS, no Object Lock,
│ /documents/{id} │ expirable per policy)
└────────────┬────────────┘
│
│ OCR
▼
┌─────────────────────────┐
│ AWS Textract │ 🟥 (BAA, us-east-2)
│ (text + bounding box) │
└────────────┬────────────┘
│
│ structured extraction
▼
┌─────────────────────────┐
│ ai_gateway.py │
│ → AWS Bedrock │ 🟨 (PHI scrubbed where
│ → Claude (Haiku 4.5) │ possible; rest under
│ → ai_runs row written │ AWS Bedrock BAA +
│ │ Anthropic BAA + ZDR)
└────────────┬────────────┘
│
│ worker_trust_records: tier = 3 (AI-extracted)
▼
┌─────────────────────────┐
│ Source-verification │
│ rail dispatcher │ 🟨
│ (source authority rails plus the 43-role, 51-jurisdiction coverage map) │
└────────────┬────────────┘
│
│ per-adapter fan-out
│ (Nursys, state BON, NPDB, OIG, DEA,
│ ABMS, AMA, NPI, SAM.gov, payer
│ network adapters)
▼
┌─────────────────────────┐
│ credential_source_ │
│ receipts row + S3 │ 🟨 (vendor responses;
│ source-receipt bucket │ Object Lock 7y)
│ (KMS, governance lock) │
└────────────┬────────────┘
│
│ audit_log hash-chain append
▼
┌─────────────────────────┐
│ S3 audit bucket │ 🟩 (no PHI in chain payload;
│ (Object Lock │ only IDs + hashes)
│ COMPLIANCE mode, 7y) │
└────────────┬────────────┘
│
│ tile promoted: tier = 5 (source-verified)
▼
┌─────────────────────────┐
│ Passport Wallet UI │ 🟨 (worker's own view)
│ passport.rovn.to/ │
│ wallet │
└─────────────────────────┘
Public Passport surface (worker-opt-in):
┌─────────────────────────┐
│ passport.rovn.to/p/ │ 🟩 (worker chose
│ {public_slug} │ public visibility;
│ Zero-PHI subset │ no DOB, no SSN, no
│ │ contact details)
└─────────────────────────┘
PHI never leaves us-east-2AWS region07.2 AWS Infrastructure Memo · single-region ECS / RDS / S3 in us-east-2 except in transit through the AI chain (AWS BedrockAI provider chain07.3 AI Architecture · AWS Bedrock under BAA → Anthropic Claude Haiku 4.5 under BAA → Rōvn ECS under BAA → Anthropic Claude (Haiku 4.5)Model identity07.3 AI Architecture · Haiku 4.5 chosen for cost + latency + BAA chain under BAA → Rōvn backend on ECS) under ZDR. The public Passport surface (/p/{slug}) renders only the zero-PHI subset.
2. Facility hiring flow (facility workflow layer)
Layer note. The flow below is the facility workflow layer cockpit orchestrating facility-side workflow and reading the Rōvn network's verified output. Source verification, credentialing, recredentialing, and continuous monitoring run in the Rōvn network engine (see §1, the 36-adapter source-verification rail and source-receipt write run on the worker's Passport, network-scale). facility workflow layer declares demand, intakes applications, triages, runs the privileging committee surface, and reads verified Passports, it does not run the verification rail itself. The
recredentialing_cyclesnode below is a Rōvn network function surfaced to the facility.
FACILITY ADMIN (browser)
│
│ rovn.to/facility via WorkOS SSO 🟨
▼
┌────────────────────────┐
│ facility workflow layer cockpit │
│ /facility │
└────────────┬───────────┘
│
│ declare workforce demand
▼
┌────────────────────────┐
│ Demand monitoring │
│ - shortage signals │ 🟩
│ - expiration risk │
│ - geo gaps │
└────────────┬───────────┘
│
│ publish role / opportunity
▼
┌────────────────────────┐
│ Worker network apply │ 🟨 (worker consents to share
│ worker_network_apply_ │ Passport subset with facility)
│ and_event_spine │
└────────────┬───────────┘
│
│ AI triage (executor)
▼
┌────────────────────────┐
│ ai_gateway.py │
│ → AWS Bedrock │ 🟨 (PHI under AWS Bedrock BAA
│ → Claude (Haiku 4.5) │ + Anthropic BAA + ZDR)
│ → readiness summary │
└────────────┬───────────┘
│
│ privileging packet build
▼
┌────────────────────────┐
│ role_readiness_ │
│ packets + │ 🟥 (full PHI scope per facility
│ compliance_binders │ consent contract)
└────────────┬───────────┘
│
│ committee review surface
▼
┌────────────────────────┐
│ facility workflow layer packet UI │
│ - AI advisory shown │ 🟥 (committee members are
│ - human committee │ authenticated humans)
│ reviews + decides │
└────────────┬───────────┘
│
│ hash-chain append (actor = human)
▼
┌────────────────────────┐
│ decisions row + │
│ audit_log entry + │ 🟩 (audit payload is metadata,
│ privileging_ │ not PHI body)
│ recommendation_log │
│ reference │
└────────────┬───────────┘
│
│ recredentialing cycle scheduled
▼
┌────────────────────────┐
│ recredentialing_ │ 🟨
│ cycles + │
│ expirables_reminder_ │
│ log │
└────────────────────────┘
Audit log payload deliberately omits PHI body, the audit chain is queryable evidence, not a PHI surface.
3. Verified API consumer flow
THIRD-PARTY APP / EHR / VENDOR
│
│ Bearer token (per-tenant) 🟩
▼
┌────────────────────────┐
│ ALB + WAF │
│ rate-limit per token │
└────────────┬───────────┘
│
▼
┌────────────────────────┐
│ Verified API route │
│ /api/verify │
│ /api/passport │
└────────────┬───────────┘
│
│ cache check (per-source TTL)
▼
┌────────────────────────┐
│ Source-receipts table │
│ + S3 receipt artifact │ 🟨 (worker-scoped; consumer
│ │ must hold consent token)
└─────┬──────────────┬───┘
│ │
cache hit cache miss
│ │
│ ▼
│ ┌────────────────────┐
│ │ Source-adapter │
│ │ fresh fetch │ 🟨
│ │ (NPDB, Nursys, │
│ │ OIG, etc.) │
│ └─────────┬──────────┘
│ │
│ ▼
│ ┌────────────────────┐
│ │ Write source_ │
│ │ receipt + audit │
│ │ chain entry │
│ └─────────┬──────────┘
│ │
└───────────────┴───────────► API response
{
tile,
tier,
source,
source_url,
source_timestamp,
payload_hash,
cached: true | false
}
The Verified API response always carries provenance (source, URL, timestamp, hash). Cached and fresh responses are indistinguishable on the data, the only difference is the cached flag and the price.
4. MCP server flow (zero-PHI)
ANTHROPIC / MCP CLIENT
│
│ Bearer token (outbound) 🟩
▼
┌────────────────────────┐
│ passport.rovn.to/mcp │
│ (FastAPI, same fleet) │
└────────────┬───────────┘
│
│ tool: lookup_rovn_passport
▼
┌────────────────────────┐
│ Public Passport │
│ surface (zero-PHI) │ 🟩 (only the public slug
│ /p/{slug} subset │ view is returned)
└────────────┬───────────┘
│
▼
API consumer sees:
- worker public slug
- displayed name
- displayed credentials list (tier ≥ 4)
- source receipt count
- last verified timestamp
No DOB, no SSN, no contact, no PHI body.
The MCP server is intentionally a zero-PHI surface (one tool: lookup_rovn_passport). It exists to make Rōvn passports addressable from inside Claude conversations without expanding the PHI footprint. Tokens are issued from Secrets Manager and audit-logged.
5. PHI boundary summary
| Surface | PHI? | Why |
|---|---|---|
| Marketing rovn.to (Cloudflare Pages) | 🟩 zero-PHI | Static marketing only |
| Investor portal (separate Cloudflare Pages project) | 🟩 zero-PHI | Diligence docs are not PHI |
Passport /start and /wallet |
🟥 PHI | Worker uploads docs, sees own data |
Passport /p/{slug} public surface |
🟩 zero-PHI | Worker-opt-in public subset |
| facility workflow layer cockpit | 🟥 PHI | Facility ops view worker packets |
| Verified API | 🟨 PHI-adjacent | Consumer must hold consent token; responses can include scoped fields |
MCP server passport.rovn.to/mcp |
🟩 zero-PHI | Single zero-PHI tool |
audit_log payload body |
🟩 zero-PHI | IDs + hashes only, no PHI body |
ai_runs payload body |
🟨 PHI-adjacent | Prompt + output may include PHI under BAA + ZDR (Anthropic retains nothing) |
| Cloudflare edge | 🟩 zero-PHI | Marketing only, no PHI traverses Cloudflare |
6. Data egress rules
- PHI stays in
us-east-2. This is enforced by VPC endpoint policy, S3 bucket region constraints, and ECS task placement. - Anthropic Claude is the one cross-perimeter egress for PHI, and only under BAA + ZDR. No prompt is retained by Anthropic.
- Cloudflare carries marketing only. No PHI surface is reverse-proxied through Cloudflare. The product surfaces are served from
passport.rovn.todirectly off the ALB. - No SaaS analytics on PHI surfaces. Worker session analytics on Passport are first-party (server-side); third-party JS tags are not present on PHI pages.
- CSV / data export. Tenant data export is gated behind admin auth + audit-logged + scoped to that tenant's rows. No cross-tenant export path exists.
7. What this diagram does not claim
- We do not claim Anthropic has zero exposure to PHI in transit, it sees PHI in prompt body where unavoidable. The mitigation is the Anthropic BAA + ZDR posture and the PHI scrubber tokenizing what can be tokenized.
- We do not claim cross-region active-active, DR posture is cross-region cold standby today.
- We do not claim every worker has opted into a public Passport,
/p/{slug}is opt-in and most workers default to private. - We do not claim third-party EHRs are integrated today, the Redox + AWS HealthLake path is TARGET for the Y2 payer enrollment expansion.
End of diagram.