Verigence — AI voice operations for practices that serve real people

Trust credo

This page shows our current security and compliance posture without inflated claims or borrowed cloud badges. Use it as your first pass, then request evidence and contract redlines.

Stack: Next.js 16, Express 5, Temporal.
Region: DigitalOcean NYC region.
Runtime: Docker Compose integration baseline.
Data policy: No model training on customer data.

Certifications, attestations, and the controls behind them

We are explicit about what is in force, what is roadmap, and what is inherited from our cloud provider. Nothing is asserted that is not yet true.

SOC 2 Type II

Roadmap

Program is planned. We do not represent active attestation yet.

HIPAA BAA

Available

BAA path is handled in signed agreements before go-live.

ISO 27001

Inherited controls

Cloud controls from DigitalOcean are part of infra posture, not product certification.

State AI Disclosure

Implemented

State-specific language is versioned and enforced by scenario.

PHI-safe Runtime

Implemented

PHI-sensitive voice flows route through the documented text pipeline.

Incident Response

Implemented

Escalation runbooks, owner routing, and response timelines are defined.

Where humans decide, a human decides

Policy checks are automated. Business and clinical accountability stays with people.

Policy checks

Consent and do-not-call validation

State disclosure policy mapping

Retention profile enforcement

Audit event persistence

Human gates

Clinical decision and medical advice

Escalation and override decisions

Contract and legal approval

Exception handling on sensitive cases

Proof of work, not proof of talk

We publish measurable baselines and ship validation commands that any reviewer can run locally. The numbers below are targets and current baselines, not marketing projections.

Evidence checks

100%

Average page latency

<450ms

Retention baseline

7 years

Data encryption

SHA-256

docker compose up --build
pnpm lint
pnpm verify
pnpm --filter verigence-api build:openapi
pnpm --filter verigence-web gen:api

Every vendor. What they touch. Where it lives.

System	Role	Data class	Region
OpenAI	Realtime voice, transcription, and reasoning	PII / PHI	Per OpenAI enterprise terms
DigitalOcean Managed PostgreSQL	Structured event storage	PII / PHI	NYC region
Clerk	Admin identity	Operator identity	US
GitHub Actions	CI and policy checks	Source metadata	US

If something goes wrong, we tell you fast

Critical incidents acknowledged inside 1 hour.
Initial containment update within 4 hours.
Customer-facing summary and timeline with owner handoff.

HIPAA is not a certification program. SOC 2 remains roadmap until complete. Statements on this page reflect live posture, contract-bound controls, and roadmap items — no borrowed cloud badges.

What procurement usually asks us

Can we claim you are HIPAA certified?

No. HIPAA is not a certification program. We support HIPAA-aligned controls and BAA-backed operations.

Do you have SOC 2 right now?

Not yet. SOC 2 Type II is in the roadmap and will be published after completion.

Can we get architecture evidence during review?

Yes. We provide architecture flow, control posture, and contract boundary walkthroughs during procurement.

Can we constrain to US-only data handling?

Yes for structured storage on DigitalOcean Managed PostgreSQL in the selected US region. Voice runtime hits OpenAI under their enterprise terms — region constraints depend on the contract tier and are confirmed during procurement.

Trust credo

This page shows our current security and compliance posture without inflated claims or borrowed cloud badges. Use it as your first pass, then request evidence and contract redlines.

Stack: Next.js 16, Express 5, Temporal.
Region: DigitalOcean NYC region.
Runtime: Docker Compose integration baseline.
Data policy: No model training on customer data.

Certifications, attestations, and the controls behind them

We are explicit about what is in force, what is roadmap, and what is inherited from our cloud provider. Nothing is asserted that is not yet true.

SOC 2 Type II

Roadmap

Program is planned. We do not represent active attestation yet.

HIPAA BAA

Available

BAA path is handled in signed agreements before go-live.

ISO 27001

Inherited controls

Cloud controls from DigitalOcean are part of infra posture, not product certification.

State AI Disclosure

Implemented

State-specific language is versioned and enforced by scenario.

PHI-safe Runtime

Implemented

PHI-sensitive voice flows route through the documented text pipeline.

Incident Response

Implemented

Escalation runbooks, owner routing, and response timelines are defined.

Where humans decide, a human decides

Policy checks are automated. Business and clinical accountability stays with people.

Policy checks

Consent and do-not-call validation

State disclosure policy mapping

Retention profile enforcement

Audit event persistence

Human gates

Clinical decision and medical advice

Escalation and override decisions

Contract and legal approval

Exception handling on sensitive cases

Proof of work, not proof of talk

We publish measurable baselines and ship validation commands that any reviewer can run locally. The numbers below are targets and current baselines, not marketing projections.

Evidence checks

100%

Average page latency

<450ms

Retention baseline

7 years

Data encryption

SHA-256

docker compose up --build
pnpm lint
pnpm verify
pnpm --filter verigence-api build:openapi
pnpm --filter verigence-web gen:api

System

Role

Data class

Region

OpenAI

Realtime voice, transcription, and reasoning

PII / PHI

Per OpenAI enterprise terms

DigitalOcean Managed PostgreSQL

Structured event storage

PII / PHI

NYC region

Clerk

Admin identity

Operator identity

GitHub Actions

CI and policy checks

Source metadata

If something goes wrong, we tell you fast

Critical incidents acknowledged inside 1 hour.
Initial containment update within 4 hours.
Customer-facing summary and timeline with owner handoff.

HIPAA is not a certification program. SOC 2 remains roadmap until complete. Statements on this page reflect live posture, contract-bound controls, and roadmap items — no borrowed cloud badges.

What procurement usually asks us

Can we claim you are HIPAA certified?

No. HIPAA is not a certification program. We support HIPAA-aligned controls and BAA-backed operations.

Do you have SOC 2 right now?

Not yet. SOC 2 Type II is in the roadmap and will be published after completion.

Can we get architecture evidence during review?

Yes. We provide architecture flow, control posture, and contract boundary walkthroughs during procurement.

Can we constrain to US-only data handling?

Trust is a build artifact, not a marketing page.

Trust credo

Certifications, attestations, and the controls behind them

SOC 2 Type II

HIPAA BAA

ISO 27001

State AI Disclosure

PHI-safe Runtime

Incident Response

Where humans decide, a human decides

Policy checks

Human gates

Proof of work, not proof of talk

Every vendor. What they touch. Where it lives.

If something goes wrong, we tell you fast

What procurement usually asks us

Trust is a build artifact, not a marketing page.

Trust credo

Certifications, attestations, and the controls behind them

SOC 2 Type II

HIPAA BAA

ISO 27001

State AI Disclosure

PHI-safe Runtime

Incident Response

Where humans decide, a human decides

Policy checks

Human gates

Proof of work, not proof of talk

Every vendor. What they touch. Where it lives.

If something goes wrong, we tell you fast

What procurement usually asks us