Security

Every record guarded.Every access logged.

SOC 2 Type I attested, HIPAA safeguards monitored daily, and a Business Associate Agreement in effect from the moment your firm signs up. This is security you can hand to your IT reviewer.

Compliance

Attested, not asserted.

An external auditor has examined our controls, and automated monitoring re-checks them every day across our cloud, code, and workforce.

Independently Examined

Audited by Outsiders. Checked Every Day.

Verdica completed its SOC 2 Type I examination in June 2026, and the Type II observation period is already underway. Between audits, Vanta continuously monitors our Azure infrastructure, GitHub, Google Workspace, and Slack against the full control set.

SOC 2 Type I attested by an external auditor
SOC 2 Type II observation period in progress
HIPAA safeguards monitored daily, all controls passing
BAA in effect automatically from signup
Infrastructure

Isolated byarchitecture.

Verdica runs on Microsoft Azure’s U.S. cloud. These aren’t aspirations; each one is the current, verified configuration of our production environment.

U.S. Soil, Full Stop.

Compute, database, storage, and AI all run in U.S. Azure regions. Client records never leave the country, and never leave Microsoft's HIPAA-eligible cloud.

Encrypted, Resting or Moving.

AES-256-GCM authenticated encryption at rest and TLS in transit, with HTTPS-only storage and public blob access disabled.

Isolated Networks.

The application and database live on segregated virtual-network subnets behind their own security groups, with network flow logs retained.

Keys Under Lock.

Secrets live in Azure Key Vault behind role-based access, with soft delete and purge protection. No credentials live in code or config files.

Backups That Rewind.

The production database keeps 35 days of automated point-in-time backups, so any moment in the last five weeks is recoverable.

Watched Around the Clock.

Centralized logging with automated alerts on failed administrative operations, network security changes, and service availability.

In the Application

Guardrails on every action.

Infrastructure protects the perimeter. These controls protect every session, query, and file inside it, each one verified in the codebase.

Sessions That Expire.

Sessions time out after one hour of inactivity (with an in-app warning first), and repeated failed logins lock the account out. Passwords are stored only as bcrypt hashes.

Four Roles, No Skeleton Keys.

Role-based access control with per-case authorization checks on every action, and every query scoped to your firm's identifier at the data layer. One firm can never see another's records.

An Audit Log No One Can Edit.

Every access and change is logged, then mirrored hourly to write-once storage under a locked seven-year retention policy. Not even Verdica administrators can alter it. Export to CSV anytime.

Your Data, Your Exit.

Firm admins can export complete case data in one click. Records are retained seven years by default, configurable by your firm, with a 90-day export window if you ever leave.

AI & Your Data

Your PHI nevertrains a model.

AI is how Verdica reads records and drafts demands, so how the AI handles your clients’ data matters as much as where it’s stored.

Our Tenant, Not the Public API.

Every AI call runs on Azure OpenAI inside Verdica's own U.S. tenant, covered by the same Azure safeguards as your documents. Nothing touches the public OpenAI API.

Never Trained on Your Records.

Verdica will not use PHI to train, fine-tune, or improve AI models without your firm's explicit written consent. It's a contractual commitment in the BAA, not a settings toggle.

Every Call on the Record.

Each AI operation is logged with its model and purpose, and every output is checked against source documents before it reaches a demand letter.

How outputs are verified before they reach your letterhead (identity gates, cross-checks, and the defensibility report) lives on the Services page.

Process & Paper

The part your IT reviewer asks for.

Nineteen approved security policies on an annual review cycle, and written commitments your firm can hold us to. Questions? Reach us at privacy@verdicatech.com.

Policy Program
Incident Response + HIPAA Breach AddendumBusiness Continuity & Disaster RecoveryAccess ControlCryptographySecure DevelopmentData ManagementRisk ManagementThird-Party Management
Written Commitments
Breach notification within 30 days, in writing
Named subprocessors: Microsoft Azure and Stripe. Nobody else touches your data
BAA applies automatically at signup; no separate signature required
SOC 2 report available to firms under review
Get Started

Ready to transform your case preparation?

See how Verdica's AI-powered platform analyzes case documents, generates complete demand packages, and helps improve settlement outcomes, all in minutes.