Security worthy of healthcare data.
Vetra is engineered with defense-in-depth: tenant isolation, RBAC + approval limits, encrypted everywhere, and a complete, immutable audit log.
Tenancy & isolation
- Every HMO workspace is a tenant; all data and settings are scoped server-side.
- Provider accounts are cross-tenant — each link to an HMO is approved separately.
- The corporate portal sees only its own enrollee population.
- The enrollee portal sees only its own member data.
The BFF architecture
The public app talks only to a backend-for-frontend. The core API requires an x-api-keythat the BFF holds — clients can never reach the core directly.
Helmet, throttling, environment validation and a strict CORS allow-list run on every request. Auth is httpOnly cookies.
RBAC + approval limits
Vetra ships with a 55+ permission catalog and an approval-limit layer on top:
- Define roles with any subset of permissions.
- Per-role ceilings for claim approval and settlement run sign-off.
- Tenant admins can audit role assignments and changes over time.
Encryption & key management
| In transit | TLS 1.2+ everywhere. HTTP is redirected and HSTS-locked. |
|---|---|
| At rest | AES-256 at the database and object store. |
| Key rotation | Managed and automated; cryptographic material is never in app code. |
| Secrets | Environment-validated at boot; secrets never logged. |
Audit log
- Append-only record of every permission-sensitive action.
- Captures actor, resource, action, before / after where applicable, and timestamp.
- Exportable for compliance reviews and security audits.
The audit log — actor, resource, action, before / after, timestamp with CSV export
Screenshot — coming soon
What we ask of you
- Use strong unique passwords; turn on 2-step where supported.
- Scope API keys to the smallest set of permissions the integration needs.
- Rotate keys on staff offboarding.
- Review Approval Limits whenever roles change.