Vet100 Security — How We Protect Veteran Data

How We Protect Veteran Data

Your claims data is sensitive. Vet100 treats it that way — with encryption, access controls, audit logging, and NIST 800-53 security controls.

AES-256 Encryption HIPAA BAA Infrastructure NIST 800-53 Controls

Why Security Matters for Veteran Data

VA disability claims contain some of the most sensitive information a person has: medical diagnoses, service records, financial details, and personal identifiers. Veterans deserve to know exactly how their data is stored, who can access it, and what protections are in place.

Vet100 was built with security as a foundational requirement — not an afterthought.

Data Storage Model

Claims Data — Local on Device

Your claims data (conditions, ratings, notes, C&P prep answers) is stored locally on your device by default. This means your data stays with you — it is not sitting on a server waiting to be breached. When you use the app offline, everything works because the data is already on your phone or computer.

Documents — AWS S3 with HIPAA BAA

When you upload documents (medical records, DD-214, buddy letters, DBQs), they are stored in AWS S3 buckets operating under a signed AWS Business Associate Addendum (BAA). This means AWS contractually agrees to handle your documents according to HIPAA security standards.

Encryption

At rest: All stored documents are encrypted using AES-256 server-side encryption (Key Management Service). Encryption keys are managed by AWS and rotated automatically.
In transit: All data transmitted between your device and Vet100 servers is encrypted using TLS 1.2+ (Transport Layer Security). No data ever travels unencrypted.

Authentication & Access Control

Supabase JWT authentication: User sessions are managed with industry-standard JSON Web Tokens, signed and verified server-side.
Row-Level Security (RLS): Every database query is filtered by user ID at the database level. Even if application code had a bug, the database itself prevents one user from accessing another user's data.
IDOR protection: Insecure Direct Object Reference attacks are blocked — you cannot access another user's resources by guessing or modifying IDs.

Additional Security Controls

The platform implements several defense-in-depth controls beyond the basics:

Client-side encryption envelope (Lockbox A): SSN and sensitive health entries (conditions, ratings, claim notes, C&P prep) are encrypted in your browser using AES-256-GCM with a key derived from your account password via PBKDF2-SHA256 before being synced to the database. The decryption key never leaves your device — a database dump, a service-role-key leak, or a compromised platform admin cannot decrypt this data.
Account password hashing: Your account password is hashed by Supabase Auth using bcrypt with per-user salts. Vet100 never sees or stores your plaintext password.
VA OAuth token encryption at rest: When you connect to VA.gov, your VA Lighthouse access and refresh tokens are encrypted using AES-256-GCM with a Vet100-controlled encryption key (separate from your account password key) and stored in the va_oauth_tokens table. Tokens are decrypted in-memory only at the moment of an authorized VA API call and are never returned to your browser.
Database update guard trigger: A PostgreSQL BEFORE UPDATE trigger (users_update_guard, SECURITY INVOKER) blocks role escalation, organization reassignment, and identity tampering at the database layer — even if application code or Row-Level Security policies were misconfigured.
Tamper-evident audit log: Every privileged action writes a row to the audit_logs table with a SHA-256 hash chain. Any retroactive tampering breaks the chain and is detectable via the verify_audit_chain() RPC.

NIST 800-53 Controls Implemented

Vet100 implements key controls from the NIST 800-53 security framework, the same standard used by federal agencies. These controls are implemented but not formally audited or certified — a third-party HIPAA audit (SOC 2 Type II with HIPAA mapping or HITRUST CSF) is on the roadmap for completion under the first paid engagement.

AC-2 (Account Management): User accounts are provisioned, managed, and can be deleted with a 7-day grace period for recovery.
AU-2 (Audit Events) — S3 data events: Object-level access to uploaded documents is logged via AWS CloudTrail under the executed AWS BAA.
AU-2 (Audit Events) — Application events: Authentication, role changes, VA submissions, and account deletions are written to a SHA-256 hash-chained audit_logs table in Postgres. Retroactive tampering breaks the chain and is detectable via the verify_audit_chain() RPC.
IA-2 (Identification & Authentication): All users must authenticate via Supabase JWT before accessing protected resources.
SC-8 (Transmission Confidentiality): All data in transit is protected by TLS 1.2+ encryption.
SC-28 (Protection of Information at Rest): Encryption at rest is applied across three distinct surfaces: (a) uploaded documents — AWS S3 with AES-256 SSE-KMS under the executed AWS BAA; (b) sensitive PII including SSN and health entries (Lockbox A envelope) — client-side AES-256-GCM with a key derived from your account password via PBKDF2-SHA256, server stores only opaque ciphertext it cannot decrypt; (c) VA OAuth tokens — server-side AES-256-GCM with a Vet100-controlled encryption key. Other identity attributes (name, email, date of birth, phone, address) are stored as plaintext at rest and protected by Row-Level Security and TLS in transit.

Network Security

Cloudflare WAF: Web Application Firewall filters malicious traffic, blocks common attack patterns, and provides DDoS protection.
Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.
CORS policy: Cross-Origin Resource Sharing is restricted to authorized domains only.
CSP headers: Content Security Policy headers prevent cross-site scripting (XSS) and code injection attacks.

Your Rights

Account Deletion

You can delete your account at any time. There is a 7-day grace period in case you change your mind. After 7 days, your data is permanently deleted from all systems.

Data Export

You have the right to export your data. Vet100 provides data export functionality so you can take your information with you at any time.

Transparent Disclosure

In the interest of full transparency:

Vet100 is not affiliated with the VA — it is an independent platform built by a veteran for veterans.
Vet100 is not a HIPAA-covered entity — however, we voluntarily use HIPAA-eligible infrastructure (AWS with signed BAA) for document storage because it is the right thing to do.
Vet100 does not sell your data — your information is never shared with third parties for marketing or any other purpose.

Frequently Asked Questions

Is my data encrypted?: Yes. Data at rest is encrypted with AES-256 server-side encryption. Data in transit is encrypted with TLS 1.2+. Your claims data stored locally on your device uses your device's native encryption.
Can other users see my data?: No. Row-Level Security (RLS) at the database level ensures every query is scoped to your user ID. Even application-level bugs cannot expose other users' data.
What happens if I delete my account?: You have a 7-day grace period to recover your account. After 7 days, all data associated with your account is permanently deleted from all systems.
How does Vet100 align with HIPAA?: Vet100 is not a HIPAA-covered entity (it is not a healthcare provider or insurer). However, we voluntarily use HIPAA-eligible infrastructure — including AWS S3 and AWS Bedrock under an executed AWS Business Associate Addendum — because veteran data deserves that level of protection.
Where can I read the full privacy policy?: Visit vet100.net/privacy for the complete privacy policy.

Read Our Full Privacy Policy

For complete details on data collection, usage, and your rights.

Read Privacy Policy

Questions? Email randy@vet100.net