Security & Compliance

Your Data Security is Our Priority

We use strong encryption, managed infrastructure controls, and audited application safeguards to protect sensitive veteran information.

Encryption

Strong encryption protections for your data

Encryption In Transit

Modern industry-standard encryption for all connections (TLS)
All API calls transmitted over HTTPS
Automatic certificate management and renewal

Encryption At Rest

Managed encrypted storage for application data and documents
Managed cloud providers with documented security programs for core infrastructure
Sensitive credentials and tokens are protected using encrypted storage and access controls
SSN partial redaction (only last 4 digits stored)
Operational backups and retention controls are handled through the platform data layer and hosting providers

Zero-Trust Architecture

Internal access to sensitive data is tightly restricted, role-based, and audited. Access is granted only on a least-privilege, need-based basis with comprehensive logging.

Our Compliance Roadmap

Building toward recognized security and privacy frameworks

Health Data Safeguards

Built with safeguards that support protection of sensitive health-related information, including encryption, access controls, audit logging, and least-privilege access patterns.

Privacy Rights Workflows

We support privacy rights workflows such as access, deletion, export, and consent management requests with 30-day deletion processing.

Transparent Data Handling

We do not sell personal data. We support user privacy rights and provide clear data collection disclosure and opt-out mechanisms.

Federal Security Alignment

Internal controls are being aligned to NIST 800-53 security control patterns. The VA integration path is being prepared to support federal review expectations.

SOC 2 Readiness

We are working toward SOC 2 readiness while relying on security-reviewed infrastructure providers today.

Authentication & Access Control

Multi-layered security for account protection

User Authentication (Clerk)

Multi-factor authentication (MFA) support
Social sign-in (Google, GitHub) with OAuth
Email/password authentication with strong password requirements
Session management with automatic timeout
Account lockout after failed login attempts

VA OAuth 2.0 Integration

OAuth 2.0 Authorization Code Flow with PKCE
Encrypted token storage with access controls
Automatic token refresh before expiration
Secure token transmission over TLS
Disconnecting ValorAI access clears the app-side VA connection state and associated local access path

Role-Based Access Control (RBAC)

User roles: user, admin, support
Principle of least privilege
Comprehensive audit logging for all access

Data Privacy & Control

Your data, your control

Data Minimization

We only collect data necessary for functionality:

Sensitive records are protected using encrypted storage to support disability claims and benefits analysis
No storage of financial account details
SSN partial redaction (***-**-1234 format)
PII minimization throughout the platform
Health data used solely for VA benefits assistance, never for clinical decisions

Health Information Notice

Important: This service is for educational and informational purposes only, not for clinical decisions. ValorAI is not a healthcare provider.

Your Data Rights

Access: View all information we have about you
Delete: Permanently delete all your data (30-day processing)
Export: Download a copy of your data in portable format
Modify: Update or correct any information
Disconnect: Revoke VA account access at any time

Data Sharing Practices

We do not sell your personal data. We only share data with service providers necessary to operate the platform, subject to contractual privacy and security safeguards. Our business model is built on subscriptions, not data monetization.

No Third-Party Training

Customer-uploaded documents are not used to train our AI models. Our models are updated through structured, vetted legal and regulatory data, not your personal files.

Security Monitoring & Incident Response

Continuous automated monitoring and alerting

Real-Time Monitoring

Automated vulnerability scanning
Intrusion detection systems
API rate limiting and DDoS protection
Error tracking with Sentry
Performance monitoring

Incident Response Plan

We have a comprehensive incident response plan with:

Automated detection and alerts
Severity classification system
Containment and eradication procedures
Escalation and notification procedures for high-severity incidents
Post-incident root cause analysis

Security Reviews

We perform regular security reviews, code reviews, and testing to identify and address vulnerabilities proactively. We periodically assess the platform for security weaknesses.

Veteran-Owned, Veteran-Built

Built by someone who understands the importance of trust

ValorAI isn't a Silicon Valley project chasing a quick exit. It's a mission-first platform built by veterans, for veterans. Every decision we make is filtered through one question: Would I trust this with my own file?

We're building ValorAI in the open. Veterans in our early user group help shape features, vet our decisions, and hold us accountable. You're not handing your data to a faceless app. You're trusting a veteran-built product that stays close to the people it serves.

ValorAI uses modern security practices including encryption in transit and at rest, role-based access controls, audit logging, and privacy-focused data handling. We are building our internal controls to align with recognized security and privacy frameworks, and we continue to strengthen our compliance posture as the platform matures.

Questions About Security?

If you have security concerns or questions, please contact us:

Email: security@tryvalor.ai

For security vulnerabilities, please include "SECURITY" in the subject line.

Last updated: 5/14/2026

View Privacy Policy · View Terms of Service