ValorAI
    Security & Compliance

    Your Data Security is Our Priority

    We use military-grade encryption and follow industry best practices to protect your sensitive veteran information.

    Encryption
    End-to-end protection for your data

    Encryption In Transit

    • TLS 1.3 (minimum TLS 1.2) for all connections
    • AES-256-GCM and ChaCha20-Poly1305 cipher suites
    • Automatic certificate renewal via Let's Encrypt
    • All VA API calls encrypted with HTTPS

    Encryption At Rest

    • PostgreSQL with AES-256 database-level encryption
    • SOC 2 Type II certified hosting (infrastructure providers)
    • OAuth tokens encrypted before storage
    • SSN partial redaction (only last 4 digits stored)
    • Daily encrypted backups with 90-day retention

    Zero-Trust Architecture

    No system or user gets access without strict, verified permissions. Even our developers cannot access your data without proper authorization and audit logging.

    Compliance Standards
    Meeting and exceeding industry standards

    HIPAA Compliance

    Health data encryption, access controls, and audit logging. Business Associate Agreements (BAAs) with all vendors.

    GDPR Compliance

    Right to deletion, data portability, consent management, and 30-day deletion processing.

    CCPA Compliance

    California privacy rights, clear data collection disclosure, and opt-out mechanisms.

    FISMA Compliance

    Federal Information Security Management Act compliance for VA integration requirements.

    NIST 800-53

    Security controls framework aligned with federal security standards.

    SOC 2 Type II

    Building toward full SOC 2 Type II certification. Our hosting providers are already SOC 2 certified.

    Authentication & Access Control
    Multi-layered security for account protection

    User Authentication (Clerk)

    • Multi-factor authentication (MFA) support
    • Social sign-in (Google, GitHub) with OAuth
    • Email/password authentication with strong password requirements
    • Session management with automatic timeout
    • Account lockout after failed login attempts

    VA OAuth 2.0 Integration

    • OAuth 2.0 Authorization Code Flow with PKCE
    • Encrypted token storage in database
    • Automatic token refresh before expiration
    • Secure token transmission (TLS 1.3 only)
    • Token revocation on account disconnect

    Role-Based Access Control (RBAC)

    • User roles: user, admin, support
    • Principle of least privilege
    • Comprehensive audit logging for all access
    Data Privacy & Control
    Your data, your control

    Data Minimization

    We only collect data necessary for functionality:

    • Medical records data is stored encrypted (AES-256) to support disability claims and benefits analysis
    • No storage of financial account details
    • SSN partial redaction (***-**-1234 format)
    • PII minimization throughout the platform
    • Health data used solely for VA benefits assistance, never for clinical decisions

    Health Information Notice

    Important: This service is for educational and informational purposes only, not for clinical decisions. ValorAI is not a healthcare provider.

    Your Data Rights

    • Access: View all information we have about you
    • Delete: Permanently delete all your data (30-day processing)
    • Export: Download a copy of your data in portable format
    • Modify: Update or correct any information
    • Disconnect: Revoke VA account access at any time

    No Data Sharing

    Your data is never sold, shared with third parties, or used for marketing. We don't monetize your data—our model is built on subscriptions, not surveillance.

    No Third-Party Training

    Your uploaded documents are never used to train our AI models. Our models are updated through structured, vetted legal and regulatory data, not your personal files.

    Security Monitoring & Incident Response
    24/7 monitoring and rapid response

    Real-Time Monitoring

    • Automated vulnerability scanning
    • Intrusion detection systems
    • API rate limiting and DDoS protection
    • Error tracking with Sentry
    • Performance monitoring

    Incident Response Plan

    We have a comprehensive incident response plan with:

    • Automated detection and alerts
    • Severity classification system
    • Containment and eradication procedures
    • VA notification process (within 24 hours for critical incidents)
    • Post-incident root cause analysis

    Regular Security Audits

    We conduct regular security audits, penetration testing, and code reviews to identify and address vulnerabilities proactively.

    Veteran-Owned, Veteran-Built
    Built by someone who understands the importance of trust

    ValorAI isn't a Silicon Valley project chasing a quick exit. It's a mission-first platform built by veterans, for veterans. Every decision we make is filtered through one question: Would I trust this with my own file?

    We're building ValorAI in the open. Veterans in our community help shape features, vet our decisions, and hold us accountable. You're not handing your data to a faceless app—you're joining a movement run by people like you.

    Questions About Security?

    If you have security concerns or questions, please contact us:

    Email: support@tryvalor.ai

    For security vulnerabilities, please include "SECURITY" in the subject line.

    Last updated: 2/13/2026

    View Privacy Policy · View Terms of Service

    © 2026 ValorAI. All rights reserved.

    Owned by Valor AI LLC

    TermsPrivacy