> ## Documentation Index
> Fetch the complete documentation index at: https://docs.veridianhp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security overview

> Veridian Motion security posture — what the app enforces vs what agencies provide.

# Security overview

Veridian Health Partners designs **Veridian Motion** for healthcare and
correctional use cases. This page summarizes what the **application enforces**
and what **hosting agencies** must provide.

<Warning>
  Veridian Motion is **HIPAA-aligned, not HIPAA-certified**. It is **not
  CJIS-authorized** or **FedRAMP-authorized**. Agencies choose hosting and
  operational controls to meet their obligations.
</Warning>

## What Veridian Motion enforces (built today)

### Access control

* **Staff:** Email + password; **TOTP MFA** (available; **enforced per deployment**); RBAC
* **Patients:** Patient ID + PIN; access limited to own data via RLS
* **Roles:** `pt`, `admin`, `it_admin` — granted only by admin
* **Brute-force lockout** on patient and staff login identifiers

### Data protection

* **Row-level security** on every Postgres table
* **Field-level PHI encryption**
* **Private photo storage**; authorized staff access only
* **No PII in browser localStorage** on kiosk; in-memory patient session
* **No PHI in application logs**
* **Hash-chained audit log** for sensitive actions

### Application hardening (kiosk)

* Blocked external navigation, strict CSP, self-hosted fonts, idle auto-reset
* Internal messaging only — no external egress

### Clinical safety gate

* AI output is **non-diagnostic** and **PT-approved** before patient release

## What agencies / facilities must provide

| Requirement                                                     | Owner                             |
| --------------------------------------------------------------- | --------------------------------- |
| BAA with covered entity                                         | Agency + Veridian Health Partners |
| **CJIS / FedRAMP / GovCloud** hosting environment (if required) | Agency                            |
| MDM kiosk lockdown, device supervision                          | Agency IT + custody               |
| Network segregation and firewall rules                          | Agency IT                         |
| Personnel screening and security training                       | Agency                            |
| Physical security of kiosk location                             | Agency                            |

## Encryption

* **In transit:** TLS for all connections
* **At rest:** Cloud provider encryption plus **field-level PHI encryption**
* **Photos:** Private storage; no public ACLs

## Audit and monitoring

Sensitive actions write to a **hash-chained, append-only audit log** (enroll,
assign, review, notes, roles, MFA reset, messages). Application logs exclude
PHI. Audit entries use resource IDs and action types — not clinical content.

## Incident response

See [Incident response](/security/incident-response).

## What's next

<CardGroup cols={2}>
  <Card title="HIPAA" icon="file-shield" href="/security/hipaa">
    Business Associate framing.
  </Card>

  <Card title="Data model & privacy" icon="lock" href="/veridian-motion/data-model-privacy">
    RLS and entities.
  </Card>

  <Card title="Roadmap" icon="map" href="/veridian-motion/roadmap">
    Planned security-related features (e.g., SSO).
  </Card>
</CardGroup>
