CH · Trust

We hold patient health data. We treat it like patient health data.

HIPAA. SOC 2. HITRUST in flight. Audit logs you can read. Encryption you can verify.

Posture

Compliance, in flight.

HIPAA Compliant

Every PHI surface — clinical, datavault, pharmacy, app — under BAA. Encryption-at-rest. Audit log on every access.

SOC 2 Type II

Required before enterprise pilot. Active engagement with auditor. Targeted Q3.

HITRUST CSF

Roadmap to certification by year two. Architecture chosen today is HITRUST-compatible.

FERPA

Conceptual Health University coursework treated under FERPA from day one.

Encryption

Datavault — patient-side

AES-256-GCM. libsodium. Keys live on your devices. We never hold them.

Server-side at rest

All clinical data tables encrypted at rest. KMS-managed envelope keys per tenant.

Network in transit

TLS 1.2+. HSTS forced. PFS. mTLS between services.

Conceptual Health Root CA

Our own private CA for the .hc TLD. Public root for everything else.

Audit

Append-only

Hash-chained audit log. Every access leaves a record that cannot be quietly removed.

Patient-readable

You can read your own access log. Who accessed what, when, under whose grant.

Subpoena policy

We honor lawful process. We notify you unless legally prohibited. Most data we cannot decrypt regardless.

The mathematical foundation of Conceptual Health®

CH = (S × Sp)^C × (T + E)^p × (ER × RS)^(C/3)

U.S. Patent Pending 63/921,717