Trust
Built for state procurement.
Below is an honest view of where VCPMS stands on security, compliance, and data handling. Every claim here has a supporting answer in our RFP response materials.
Multi-tenant data isolation
Every entity in VCPMS carries a tenant identifier with automatic filter enforcement at the query level. Unique constraints include the tenant partition. One state program's data is physically isolated from another — a query for Oklahoma data cannot return Maine records, by design.
Authentication
- Multi-factor authentication (MFA): Required / configurable per tenant. Google Authenticator (TOTP).
- QR login: SignalR-backed passwordless access for mobile companion-app users.
- SSO: JWT Bearer + OpenIddict; SAML or OIDC to state identity providers.
Authorization
Two orthogonal axes: user category (VboUser, VcaUser, SpaUser, AdvUser, LeaUser) enforced at the application-service level; hierarchical permissions (Pages.VcClaims, Pages.VcClaims.Edit, etc.) enforced per-action.
Audit logging
- Entity-level activity log (DomainEntityActivity) — timestamp, actor, field-level before/after values on every change.
- Field-level data-change versioning — victim/claimant/contact/crime data each independently versioned per section.
- Individual-section update tracking — reason required on changes to victim, claimant, or crime sections after submission.
- Workflow trigger audit log — automated system actions (notifications, state changes, document generation) logged separately from human activity.
Compliance posture
- HIPAA-aligned, BAA-capable. Victim records routinely include protected health information; VCPMS is designed to handle PHI with appropriate controls. We sign BAAs.
- CJIS-aligned architecture. Designed to meet CJIS controls; formal attestation in progress.
- SOC 2 Type II in progress. Independent audit underway; not yet issued.
- Accessibility: WCAG 2.1 AA targets; formal Section 508 audit planned.
What we don't claim (yet)
Honesty is a feature. We deliberately do not claim production state-ID SSO integrations we haven't shipped, formal CJIS attestation we don't hold, SOC 2 reports we haven't issued, or FedRAMP status. Where marketing copy distinguishes "shipped" from "arriving" from "integration-ready," those distinctions are verifiable.
Need our full RFP-ready security addendum?
We'll walk you through how VCPMS fits your program.
Request the security package