Security & Compliance

Your Data Security is Our Priority

We use strong encryption, managed infrastructure controls, and audited application safeguards to protect sensitive veteran information.

Encryption

End-to-end protection for your data

Encryption In Transit

TLS 1.3 (minimum TLS 1.2) for all connections
AES-256-GCM and ChaCha20-Poly1305 cipher suites
Automatic certificate renewal via Let's Encrypt
All VA API calls encrypted with HTTPS

Encryption At Rest

Managed encrypted storage for application data and documents
Managed cloud providers with documented security programs for core infrastructure
OAuth tokens and sensitive credentials are encrypted before storage
SSN partial redaction (only last 4 digits stored)
Operational backups and retention controls are handled through the platform data layer and hosting providers

Zero-Trust Architecture

No system or user gets access without strict, verified permissions. Even our developers cannot access your data without proper authorization and audit logging.

Compliance Standards

Meeting and exceeding industry standards

HIPAA Compliance

Health data encryption, access controls, audit logging, and least-privilege access patterns are built into the product path.

GDPR Compliance

Right to deletion, data portability, consent management, and 30-day deletion processing.

CCPA Compliance

California privacy rights, clear data collection disclosure, and opt-out mechanisms.

FISMA Compliance

The VA integration path is being prepared to meet federal review expectations, but production VA approval is still pending.

NIST 800-53

Internal controls are being aligned to common federal security patterns used in regulated environments.

SOC 2 Type II

We are building toward a stronger formal compliance posture while relying on security-reviewed infrastructure providers today.

Authentication & Access Control

Multi-layered security for account protection

User Authentication (Clerk)

Multi-factor authentication (MFA) support
Social sign-in (Google, GitHub) with OAuth
Email/password authentication with strong password requirements
Session management with automatic timeout
Account lockout after failed login attempts

VA OAuth 2.0 Integration

OAuth 2.0 Authorization Code Flow with PKCE
Encrypted token storage in database
Automatic token refresh before expiration
Secure token transmission (TLS 1.3 only)
Disconnecting ValorAI access clears the app-side VA connection state and associated local access path

Role-Based Access Control (RBAC)

User roles: user, admin, support
Principle of least privilege
Comprehensive audit logging for all access

Data Privacy & Control

Your data, your control

Data Minimization

We only collect data necessary for functionality:

Medical records data is stored encrypted (AES-256) to support disability claims and benefits analysis
No storage of financial account details
SSN partial redaction (***-**-1234 format)
PII minimization throughout the platform
Health data used solely for VA benefits assistance, never for clinical decisions

Health Information Notice

Important: This service is for educational and informational purposes only, not for clinical decisions. ValorAI is not a healthcare provider.

Your Data Rights

Access: View all information we have about you
Delete: Permanently delete all your data (30-day processing)
Export: Download a copy of your data in portable format
Modify: Update or correct any information
Disconnect: Revoke VA account access at any time

No Data Sharing

Your data is never sold, shared with third parties, or used for marketing. We don't monetize your data—our model is built on subscriptions, not surveillance.

No Third-Party Training

Your uploaded documents are never used to train our AI models. Our models are updated through structured, vetted legal and regulatory data, not your personal files.

Security Monitoring & Incident Response

24/7 monitoring and rapid response

Real-Time Monitoring

Automated vulnerability scanning
Intrusion detection systems
API rate limiting and DDoS protection
Error tracking with Sentry
Performance monitoring

Incident Response Plan

We have a comprehensive incident response plan with:

Automated detection and alerts
Severity classification system
Containment and eradication procedures
Escalation and notification procedures for high-severity incidents
Post-incident root cause analysis

Regular Security Audits

We conduct regular security audits, penetration testing, and code reviews to identify and address vulnerabilities proactively.

Veteran-Owned, Veteran-Built

Built by someone who understands the importance of trust

ValorAI isn't a Silicon Valley project chasing a quick exit. It's a mission-first platform built by veterans, for veterans. Every decision we make is filtered through one question: Would I trust this with my own file?

We're building ValorAI in the open. Veterans in our community help shape features, vet our decisions, and hold us accountable. You're not handing your data to a faceless app—you're joining a movement run by people like you.

Questions About Security?

If you have security concerns or questions, please contact us:

Email: support@tryvalor.ai

For security vulnerabilities, please include "SECURITY" in the subject line.

Last updated: 3/30/2026

View Privacy Policy · View Terms of Service