Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.veridianhp.com/llms.txt

Use this file to discover all available pages before exploring further.

Data handling

This page is a plain-English summary of what data Veridian collects, where it lives, how long it’s kept, and how it gets deleted.

What we collect

CategorySourcePurpose
Practice account infoDashboardAuthentication, support, billing.
API keys (fingerprint only)Generated by VeridianAuthentication and audit.
Invoice identifiers, amountsPractice API callsPayment processing.
Patient first and last namePractice API callsRender Bridge, send receipt.
Bank connection (via partner)Patient through BridgeInitiate ACH transfer.
Webhook delivery logsGenerated by VeridianReliability and replay.
Audit log entriesGenerated by VeridianTamper-evident record of actions.

What we never collect

  • Diagnosis or procedure codes
  • Clinical notes or treatment information
  • Raw bank credentials (these stay with our bank-connection partner)
  • Card numbers (Veridian is ACH-first)

Where data lives

All Veridian production data is hosted in the United States. Sub-processors that handle PHI on our behalf are listed in our security package, available to practices on request.

Retention

DataDefault retention
Active session recordsUntil terminal state.
Settled payment records7 years (financial record requirements).
Audit log entries7 years (tamper-evident).
Webhook delivery logs90 days.
Dashboard session/login logs1 year.
Revoked API keys (fingerprint)Indefinite for audit reconstruction.
Practices may request shorter retention for their data through the BAA or account contact, subject to applicable financial recordkeeping rules.

Deletion

When a practice ends its Veridian relationship:
  1. Live API keys and webhook endpoints are revoked.
  2. PHI fields are deleted on the schedule defined in the BAA (typically within 60 days of termination unless the practice requests an export first).
  3. Financial records required by law are retained for the statutory period in encrypted, access-controlled storage.
  4. Audit log entries remain for tamper-evidence, but PHI within them is minimized — we record that an action occurred, not the patient detail.
Patient-driven deletion requests are routed through the covered-entity practice per HIPAA.

Export

Practices can export their own data at any time from the dashboard or via API. Exports include sessions, payments, webhook history, and audit log for the practice.

What’s next

HIPAA

Our role as a Business Associate.

Incident response

What happens if something goes wrong.