Compliance & Security

Compliance Binder

AI Diligence Console

Compliance Binder

Date: 2026-05-14 Posture: Pre-launch. Compliance trajectory active and evidenced; no certificates yet claimed that we don't actually hold.

1. SOC 2

Item	Status
SOC 2 Type II	IN PROGRESS with Drata, evidence collection running and observation window open. Report target Q3 2027 after observation window closes.
Drata platform	Active. Continuous evidence collection running.
Auditor selection	Drata-paired CPA firm , engagement available on request through diligence room access
Trust Services Criteria scope	Security, Availability, Confidentiality (Privacy + Processing Integrity in scope for Type II)

Do NOT claim: SOC 2 certified, SOC 2 Type II certificate, "147 of 152 controls implemented" (that's a control-count flex, Drata reports a percentage in-progress, not a fixed denominator). Do not claim "SOC 2 Type II in progress", Rōvn is pursuing Type II directly with Drata.

Do claim: SOC 2 Type II in progress with Drata; observation window underway; report target Q3 2027; controls implemented and continuously monitored across security/availability/confidentiality.

2. HIPAA

Item	Status
Posture	HIPAA-aligned. BAA available for eligible workflows.
AWS BAA	Executed at account level (us-east-2 HIPAA-eligible services only)
AI chain	AWS Bedrock under BAA → Anthropic Claude (Haiku 4.5) under BAA → Rōvn backend on ECS · Anthropic BAA also executed for Opus 4.7 advisor via beta tool · ZDR-eligible
Persona BAA	Executed for IAL2 identity verification
Checkr BAA	Executed for background checks
Drata BAA	Executed for compliance evidence platform
WorkOS	BAA terms in standard agreement (no PHI passes through WorkOS in normal flow, it's the auth federation layer)
Stripe	PCI compliance only, no PHI passes through Stripe (billing metadata only)
Sentry	Scrubbing enabled on PHI fields; no direct PHI fields transmitted; BAA terms TBD if any PHI inadvertently traverses
Customer BAA	Template available (`07_legal/CUSTOMER_BAA_TEMPLATE.pdf`)

Do NOT claim: HIPAA "certified" (HIPAA does not issue certifications), "0 PHI breaches" (we have 0 paying customer production traffic, so this is technically true but misleading).

Do claim: HIPAA-aligned architecture; BAA executed across AWS, Anthropic, Persona, Checkr, Drata; customer-facing BAA template available; sub-processor flow-down disclosed in SUB_PROCESSOR_REGISTRY.md.

3. NCQA CVO (Credential Verification Organization)

Item	Status
Alignment work	IN PROGRESS. Architecture meets NCQA Ideal Credentialing 2024 continuous-monitoring requirements.
Filing	Not yet filed. Filing scheduled after SOC 2 Type II report issued.
11 NCQA-required verification elements	Architecture covers all 11; per-source receipt tier-labeled
Continuous monitoring requirement	Architectural pattern in place (Nursys e-Notify live; NPDB QRXS account live; OIG / SAM adapters live)

Do NOT claim: NCQA Certified, NCQA CVO Certified, NCQA filed.

Do claim: NCQA-aligned (Ideal Credentialing 2024); continuous monitoring infrastructure operational; certification filing scheduled post SOC 2 Type II report.

4. Joint Commission / CMS surveyor PSV (Primary Source Verification)

Item	Status
PSV architecture	READY. Every verification produces a source receipt with source name, URL, timestamp, hash, and tier label.
Source receipt store	Migrations 032, 062, 068; schema LIVE, ingest PARTIAL
Joint Commission / CMS surveyor-ready	Rōvn is infrastructure, not a directly-surveyed entity. Customer facilities carry their own Joint Commission accreditation and use Rōvn's PSV evidence to satisfy their survey. The PSV-evidence rail is Joint Commission / CMS surveyor-ready.

Do NOT claim: Joint Commission Accredited or "Joint Commission / CMS surveyor Accredited" (Rōvn is not a hospital; the Joint Commission does not directly accredit infrastructure vendors at this level, Rōvn is Joint Commission / CMS surveyor-ready, not surveyed).

Do claim: PSV-evidence architecture covering source name, URL, timestamp, hash, and tier label per verification; supports customer facility Joint Commission / CMS surveyor survey requirements.

5. Other regulatory alignment

Framework	Status	Notes
CMS billing / privileging	Aligned via privileging.py + OPPE/FPPE tables	Reduces facility recoupment risk for unprivileged providers
State Board of Nursing (NPA)	Per-state adapter pattern (50 states plus DC coverage map)	Enforces state-specific license-status truth
GDPR	Not currently in scope	US-only operations; will revisit if EU expansion
CCPA	Aligned	Worker-owned data model; consent UX in progress (consent_events table TARGET)
ONC HTI-1	Not in scope at infrastructure level	Customer EHR vendors carry this
FedRAMP	Not pursued at this stage	Commercial sector focus first
HITRUST CSF	Self-assessment scheduled Months 6-12	Customer pull dependent

6. Customer BAA flow-down

When a customer signs a BAA with Rōvn, the BAA cascades downstream to: - AWS (already BAA-executed, covers AWS Bedrock Claude executor traffic) - Anthropic (already BAA-executed, covers Claude model provider relationship + Opus 4.7 advisor beta tool) - Persona (already BAA-executed) - Checkr (already BAA-executed) - WorkOS (BAA terms in standard agreement) - Drata (already BAA-executed)

Sentry: PHI scrubbing engaged; BAA terms updated if any PHI is inadvertently observed, monitored quarterly.

Stripe: no PHI passes through Stripe (metadata only).

Full cascade narrative in 07_legal/SUB_PROCESSOR_FLOW_DOWN.md.

7. Compliance evidence packaging

For each enterprise pilot conversation, Rōvn provides:

SOC 2 Type II audit progress report (Drata as-of date)
HIPAA BAA template for execution
Sub-processor list with BAA status per vendor
Architecture overview (this data-room engineering binder)
Source-receipt audit sample (anonymized)
Pentest summary, TARGET, scheduled Q4 2026
Incident response runbook (this data-room runbook)

This pack is the procurement spine.

8. What we DO NOT do

We do not store PHI in non-HIPAA-eligible regions
We do not transmit PHI to Sentry, Stripe, or other non-BAA vendors
We do not allow AWS root account access to PHI buckets (IAM-enforced)
We do not make any credentialing, privileging, hiring, or clinical decision via AI (doctrine: human decision authority per master strategy §3 Golden Rule)
We do not retain raw OCR document content beyond what is needed for verification + 7-year audit window
We do not sell, share, or analytically reuse worker PHI

9. Open compliance items

SOC 2 Type II evidence package distribution to design-partner facilities, Q3 2026 target (interim "audit in progress" letter); final SOC 2 Type II report target Q3 2027
NCQA CVO filing, post-SOC 2 Type II report
HITRUST CSF Level 1, Month 6-12 self-assessment, customer-pull dependent
Pentest Q4 2026
Worker consent UX (consent_events table population), TARGET to LIVE Months 0-6 of post-close roadmap

End of compliance binder.

Ask the AI agent about this section, the raise, compliance posture, or any cross-document question. Grounded in Rōvn's deep context, with on-page source citations.

AI queries route through AWS Bedrock under BAA · Anthropic Claude (Haiku 4.5) under BAA · zero-data-retention posture · no PHI in prompts.