SOC 2 Type I attested, HIPAA safeguards monitored daily, and a Business Associate Agreement in effect from the moment your firm signs up. This is security you can hand to your IT reviewer.
An external auditor has examined our controls, and automated monitoring re-checks them every day across our cloud, code, and workforce.
Verify live at trust.verdicatech.com
Verdica completed its SOC 2 Type I examination in June 2026, and the Type II observation period is already underway. Between audits, Vanta continuously monitors our Azure infrastructure, GitHub, Google Workspace, and Slack against the full control set.
Verdica runs on Microsoft Azure’s U.S. cloud. These aren’t aspirations; each one is the current, verified configuration of our production environment.
Compute, database, storage, and AI all run in U.S. Azure regions. Client records never leave the country, and never leave Microsoft's HIPAA-eligible cloud.
AES-256-GCM authenticated encryption at rest and TLS in transit, with HTTPS-only storage and public blob access disabled.
The application and database live on segregated virtual-network subnets behind their own security groups, with network flow logs retained.
Secrets live in Azure Key Vault behind role-based access, with soft delete and purge protection. No credentials live in code or config files.
The production database keeps 35 days of automated point-in-time backups, so any moment in the last five weeks is recoverable.
Centralized logging with automated alerts on failed administrative operations, network security changes, and service availability.
Infrastructure protects the perimeter. These controls protect every session, query, and file inside it, each one verified in the codebase.
Sessions time out after one hour of inactivity (with an in-app warning first), and repeated failed logins lock the account out. Passwords are stored only as bcrypt hashes.
Role-based access control with per-case authorization checks on every action, and every query scoped to your firm's identifier at the data layer. One firm can never see another's records.
Every access and change is logged, then mirrored hourly to write-once storage under a locked seven-year retention policy. Not even Verdica administrators can alter it. Export to CSV anytime.
Firm admins can export complete case data in one click. Records are retained seven years by default, configurable by your firm, with a 90-day export window if you ever leave.
AI is how Verdica reads records and drafts demands, so how the AI handles your clients’ data matters as much as where it’s stored.
Every AI call runs on Azure OpenAI inside Verdica's own U.S. tenant, covered by the same Azure safeguards as your documents. Nothing touches the public OpenAI API.
Verdica will not use PHI to train, fine-tune, or improve AI models without your firm's explicit written consent. It's a contractual commitment in the BAA, not a settings toggle.
Each AI operation is logged with its model and purpose, and every output is checked against source documents before it reaches a demand letter.
How outputs are verified before they reach your letterhead (identity gates, cross-checks, and the defensibility report) lives on the Services page.
Nineteen approved security policies on an annual review cycle, and written commitments your firm can hold us to. Questions? Reach us at privacy@verdicatech.com.
See how Verdica's AI-powered platform analyzes case documents, generates complete demand packages, and helps improve settlement outcomes, all in minutes.