A self-serve diligence checklist, five tracks (Legal · Financial · Technical · Security · Compliance) each with an honest LIVE / PARTIAL / TARGET label. Every green check links to the document or proof in this room.
Legal
- Delaware C-CorpEntity03.5 C-Corp Conversion Note · post-conversion Delaware C-Corp incorporation (LLC-to-C-Corp conversion in progress) → 03.5
- Bylaws + Stockholders Agreement templates → 08.1, 08.2
- IP Assignment + Option Plan templates → 08.3, 08.4
- 83(b) elections within 30 days of share issuance → founder critical-path
- ToS, Privacy, DPA, MSA, BAA templates → 08 Legal
- Diligence Notice + sub-processor flow-down → 08.11, 08.12
Financial
Technical
Security
- Security posture overview → 06.1
- STRIDEThreat model framework06.9 Threat Model (STRIDE) · spoofing / tampering / repudiation / info-disclosure / DoS / elevation threat model → 06.9
- Incident response runbook → 06.10
- Sub-processor registry → 06.11
- SOC 2 Type II in progressSOC 2 status06.3 SOC 2 Type II Plan · auditor selected, controls in implementation with Drata, target Q3 2026, NOT YET CERTIFIED
- SOC 2 Type II target Q3 2027
- External pentest scheduled Q4 2026
Compliance
- HIPAA posture memo (HIPAA-alignedHIPAA posture06.2 HIPAA Posture Memo · canonical procurement-safe phrasing (not 'compliant' / not 'certified') · BAA availableBAA posture06.4 Vendor BAA Matrix · customer BAA template at 08.9) → 06.2
- AWS BAA executed → 06.4
- AI chain: AWS BedrockAI provider chain07.3 AI Architecture · AWS Bedrock under BAA → Anthropic Claude Haiku 4.5 under BAA → Rōvn ECS under BAA → Anthropic Claude (Haiku 4.5)Model identity07.3 AI Architecture · Haiku 4.5 chosen for cost + latency + BAA chain under BAA → Rōvn backend on ECS
- Sub-processor BAAs (Persona, Checkr, WorkOS)
- AI Doctrine + governance memo → 04.4
- Data flow diagram → 06.6
- NCQA CVO trajectory (alignment in progress, not filed) → 06.8
- SOC 2 plan → 06.3
Procurement-safe phrasing reminder
Say: HIPAA-alignedHIPAA posture06.2 HIPAA Posture Memo · canonical procurement-safe phrasing (not 'compliant' / not 'certified') · BAA availableBAA posture06.4 Vendor BAA Matrix · customer BAA template at 08.9. Never say: HIPAA-alignedHIPAA posture06.2 HIPAA Posture Memo · canonical procurement-safe phrasing (not 'compliant' / not 'certified'), HIPAA-alignedHIPAA posture06.2 HIPAA Posture Memo · canonical procurement-safe phrasing (not 'compliant' / not 'certified'), SOC 2 Type II in progressSOC 2 status06.3 SOC 2 Type II Plan · auditor selected, controls in implementation (until issued), NCQA-alignedNCQA posture06.8 NCQA CVO Trajectory · NCQA-aligned (not certified) CVO trajectory (until filed), Joint Commission / CMS surveyor validated. The customer carries their own Joint Commission / CMS surveyor accreditation; Rōvn supplies the PSV evidence rail.