How We Protect Veteran Data
Your claims data is sensitive. Vet100 treats it that way — with encryption, access controls, audit logging, and NIST 800-53 security controls.
AES-256 Encryption
HIPAA BAA Infrastructure
NIST 800-53 Controls
Why Security Matters for Veteran Data
VA disability claims contain some of the most sensitive information a person has: medical diagnoses, service records, financial details, and personal identifiers. Veterans deserve to know exactly how their data is stored, who can access it, and what protections are in place.
Vet100 was built with security as a foundational requirement — not an afterthought.
Data Storage Model
Claims Data — Local on Device
Your claims data (conditions, ratings, notes, C&P prep answers) is stored locally on your device by default. This means your data stays with you — it is not sitting on a server waiting to be breached. When you use the app offline, everything works because the data is already on your phone or computer.
Documents — AWS S3 with HIPAA BAA
When you upload documents (medical records, DD-214, buddy letters, DBQs), they are stored in AWS S3 buckets operating under a signed HIPAA Business Associate Agreement (BAA). This means AWS contractually agrees to handle your documents according to HIPAA security standards.
Encryption
- At rest: All stored documents are encrypted using AES-256 server-side encryption (Key Management Service). Encryption keys are managed by AWS and rotated automatically.
- In transit: All data transmitted between your device and Vet100 servers is encrypted using TLS 1.2+ (Transport Layer Security). No data ever travels unencrypted.
Authentication & Access Control
- Supabase JWT authentication: User sessions are managed with industry-standard JSON Web Tokens, signed and verified server-side.
- Row-Level Security (RLS): Every database query is filtered by user ID at the database level. Even if application code had a bug, the database itself prevents one user from accessing another user's data.
- IDOR protection: Insecure Direct Object Reference attacks are blocked — you cannot access another user's resources by guessing or modifying IDs.
NIST 800-53 Controls Implemented
Vet100 implements key controls from the NIST 800-53 security framework, the same standard used by federal agencies:
- AC-2 (Account Management): User accounts are provisioned, managed, and can be deleted with a 7-day grace period for recovery.
- AU-2 (Audit Events): Security-relevant events are logged via AWS CloudTrail, including access attempts, authentication events, and data modifications.
- IA-2 (Identification & Authentication): All users must authenticate before accessing protected resources. Multi-factor authentication is supported.
- SC-8 (Transmission Confidentiality): All data in transit is protected by TLS 1.2+ encryption.
- SC-28 (Protection of Information at Rest): All stored data is encrypted using AES-256 server-side encryption.
Network Security
- Cloudflare WAF: Web Application Firewall filters malicious traffic, blocks common attack patterns, and provides DDoS protection.
- Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.
- CORS policy: Cross-Origin Resource Sharing is restricted to authorized domains only.
- CSP headers: Content Security Policy headers prevent cross-site scripting (XSS) and code injection attacks.
Your Rights
Account Deletion
You can delete your account at any time. There is a 7-day grace period in case you change your mind. After 7 days, your data is permanently deleted from all systems.
Data Export
You have the right to export your data. Vet100 provides data export functionality so you can take your information with you at any time.
Transparent Disclosure
In the interest of full transparency:
- Vet100 is not affiliated with the VA — it is an independent platform built by a veteran for veterans.
- Vet100 is not a HIPAA-covered entity — however, we voluntarily use HIPAA-eligible infrastructure (AWS with signed BAA) for document storage because it is the right thing to do.
- Vet100 does not sell your data — your information is never shared with third parties for marketing or any other purpose.
Frequently Asked Questions
- Is my data encrypted?
- Yes. Data at rest is encrypted with AES-256 server-side encryption. Data in transit is encrypted with TLS 1.2+. Your claims data stored locally on your device uses your device's native encryption.
- Can other users see my data?
- No. Row-Level Security (RLS) at the database level ensures every query is scoped to your user ID. Even application-level bugs cannot expose other users' data.
- What happens if I delete my account?
- You have a 7-day grace period to recover your account. After 7 days, all data associated with your account is permanently deleted from all systems.
- Is Vet100 HIPAA compliant?
- Vet100 is not a HIPAA-covered entity (it is not a healthcare provider or insurer). However, we voluntarily use HIPAA-eligible infrastructure — including AWS S3 under a signed HIPAA BAA — because veteran data deserves that level of protection.
- Where can I read the full privacy policy?
- Visit vet100.net/privacy for the complete privacy policy.