SOC 2 Type II
In progress — targeting completion Q1 2026. Controls mapped to Security, Availability, Confidentiality trust principles. Bridge letter available on request.
Security & Compliance
NextConsensus processes approved claim text and public evidence sources. We do not ingest PHI, PII, or proprietary clinical trial data. Our architecture is designed for SOC 2 Type II, HIPAA alignment, and GDPR compliance from day one.
SOC 2 Type II in progress — targeting Q1 2026. No certifications achieved yet.
We are building toward these standards. Current status is transparent below.
In progress — targeting completion Q1 2026. Controls mapped to Security, Availability, Confidentiality trust principles. Bridge letter available on request.
No PHI processed. Architecture supports BAA execution for customers requiring it. Audit logging, access controls, encryption at rest/in transit implemented.
Data minimization by design. No personal data processed. DPA template available. EU data residency via Cloudflare Workers regional routing.
Control framework mapped. Policy library, risk assessment, incident response, vendor management, business continuity documented. Formal certification not pursued yet.
OIDC via Cloudflare Access. SAML/OIDC federation with customer IdP. MFA enforced. Session timeout configurable.
Role-based: Admin, Reviewer, Viewer. Tenant isolation at application and database layer (D1 per-tenant or row-level security).
All assessment actions, data exports, config changes logged. Immutable log via Cloudflare Workers KV + R2. Exportable for SIEM.
Dependabot + SBOM generation. Container scanning. Quarterly pen test (external). Bug bounty via HackerOne (planned).
Cloudflare Workers (compute), D1 (SQLite), R2 (object storage), KV (edge KV), Queues, Workflows, Vectorize. No self-managed servers.
Zero-trust via Cloudflare Zero Trust. No public origin IPs. WAF managed rules + custom rules. DDoS protection included.
Workers regional routing (US, EU, APAC). Data stays in region. Customer chooses region at onboarding.
RTO < 4 hours, RPO < 1 hour. Cross-region replication for D1/R2. Runbook tested quarterly.
We use a minimal set of subprocessors. Full list available on request.
SEV-1 (data breach, service outage > 15 min) → 15-min acknowledgment, 1-hour customer notification
Status page, direct email to security contacts, post-incident report within 5 business days
Tabletop exercises quarterly. Red team annually. Runbook reviewed semi-annually.
Request any of the following via security contact form:
We'll send the full packet within 1 business day.