Security
Veridian Public is built for public-sector engagements where security, privacy, and trust are foundational requirements.
Security by Design
Our platform and operations are designed with security and privacy controls aligned to the expectations of state and federal public-sector programs. We treat beneficiary and program information as sensitive by default.
Practices and Controls
- Role-based access controls and least-privilege defaults
- Encryption in transit and at rest for system data
- Audit logging across user and system activity
- Background-checked, trained verification specialists
- Documented operational procedures and change controls
- Incident response procedures and notification protocols
Compliance & Attestations
The control frameworks below are the ones state Medicaid, CHIP, and SNAP agencies most often require during procurement review. Where an attestation is in progress rather than completed, that status is named explicitly — we don’t claim certifications we haven’t earned.
| Framework | Status | Evidence available on request |
|---|---|---|
| SOC 2 Type II | CURRENT | Independent SOC 2 Type II audit completed annually. Most recent report (auditor name & date) available under NDA during procurement. |
| HIPAA · Business Associate Agreement | READY | Standard BAA template available. We execute the state’s preferred BAA before any beneficiary data enters our environment. |
| StateRAMP | IN PROGRESS | StateRAMP authorisation in progress. Reciprocity through FedRAMP-aligned controls is documented for state-specific reviews. |
| FedRAMP | NOT PURSUING | FedRAMP is federal-agency-focused; not required for state Medicaid agency contracts. Equivalent control coverage is provided through SOC 2 Type II + state-specific assessments. |
| CMS MARS-E 2.2 | ALIGNED | Controls aligned to CMS Minimum Acceptable Risk Standards for Exchanges. Mapping document available during procurement review. |
| NIST 800-53 (Moderate) | ALIGNED | Control coverage at the Moderate baseline. Crosswalk to NIST CSF and CMS MARS-E available. |
| WCAG 2.1 AA | CONFORMANT | Web Content Accessibility Guidelines 2.1 Level AA conformance. Annual independent audit. See /accessibility. |
Data Flow & Residency
Veridian Public operates the verification workflow alongside the state’s existing system of record. We do not become the determining authority for eligibility; the state always remains the system of record.
- Intake. Beneficiary or state-system records arrive via the state’s chosen integration pattern (REST API, batch SFTP, or human-readable case file).
- Processing. Workflow runs inside US-based AWS regions (us-east-1 / us-west-2) under our HIPAA-BAA infrastructure account. Encryption at rest (AES-256) and in transit (TLS 1.3).
- Human review. Verification specialists access data through audited workstations. Access is role-based, least-privilege, with named-user audit trails.
- Evidence packaging. Verification evidence is delivered back to the state through the same integration pattern. The state makes the determination.
- Retention. Beneficiary data is retained only for the engagement period plus the federal records-retention minimum (typically 7–10 years for Medicaid). At end of retention, data is irretrievably destroyed and a destruction certificate is issued to the state.
A detailed data-flow diagram with system boundaries, encryption points, and access controls is available to state privacy officers during procurement review. Request via info@veridianpublic.com.
Insurance & Bonding
Veridian Public maintains insurance coverage aligned with the contract requirements of state Medicaid agencies and prime contractors we work alongside. Specific limits and carriers are listed in engagement-specific contract documentation and can be increased by rider where state procurement requires.
- Professional liability (Errors & Omissions) — coverage at or above the standard $5M state-Medicaid procurement floor
- Cyber liability & data-breach coverage — coverage at or above the $5M state-Medicaid procurement floor; includes notification, forensics, and remediation
- General liability — standard commercial general liability with state-required additional-insured endorsements available
- Workers’ compensation — coverage in every state where Veridian employs verification specialists
- Fidelity / employee dishonesty bonding — available on request
State Data Use Agreement
Veridian Public maintains a standardised Data Use Agreement (DUA) template aligned with HIPAA business-associate requirements and state Medicaid privacy rules. We readily adopt the state’s preferred DUA template where one exists. The template covers data classification, permitted uses, retention, breach notification SLAs, subcontractor flow-down, and termination.
DUA template + redline-mode draft available to state procurement officers under NDA during contract scoping. Email info@veridianpublic.com to receive a copy.
Transition & Termination
State contracts must allow exit without lock-in. Veridian Public commits to:
- Data return within 30 days of contract termination — full beneficiary case files in the state’s preferred format (CSV, XML, FHIR, or SQL dump)
- Transition support up to 180 days at the state’s option — knowledge transfer to successor vendor, parallel-run support, runbook handover
- Destruction certificate after data return is verified — documented destruction of all beneficiary data from Veridian systems
- No data hostage clauses — data return is unconditional on outstanding invoice disputes
Privacy
We collect, use, and store only the information needed to operate our services on behalf of the public-sector entities we support. For details, see our Privacy Policy.
Reporting a Security Issue
If you believe you’ve identified a security issue, please contact info@veridianpublic.com with “Security” in the subject line. We acknowledge within 1 business day and provide a remediation timeline within 5 business days. Coordinated vulnerability disclosure is welcome; we do not pursue legal action against good-faith security researchers.