Skip to main content

Trust

Vendor Readiness Register

Review the decision, evidence, boundaries, and next step for this route.

ForPeople conducting policy, privacy, security, or access review

FocusControls, ownership, evidence, and review paths

CONTROL RECORD

A policy names its scope, evidence state, limit, and correction path.

  1. 01Scope
  2. 02Owner
  3. 03Evidence state
  4. 04Review / correct
A published policy does not become technical enforcement or external assurance by itself.

operating · not an approved production vendor

Start a procurement conversation
Review security and data handling

Table — scroll horizontally to review every column.

Evidence familyCurrent stateWhat can be reviewed now
Company identity and public policiesDocumented for reviewApproved name/domain, privacy, cookies, accessibility, disclosures, contact paths
Delivery method and quality gatesDocumented for reviewHow-we-work method, calibrated delivery specimen, current quality policy
Security and data postureoperating / scope-dependentPublic posture, no-production-provider register, current access and healthcare-data standards
Insurance, tax, banking, contracting, sanctions, and jurisdiction recordsControlled diligence recordSupplied through the authorized diligence path when relevant to the engagement
External certifications, attestations, penetration tests, and client auditsNot held or not performedNo current SOC 2, ISO certification, HIPAA certification, client audit, or production penetration-test claim
BAA, DPA, subprocessors, hosting, data regions, retention, and incident commitmentsScope-specific diligenceThe signed scope and data-flow record identify the applicable providers, regions, retention, and incident duties

One scope, one accountable evidence set.

For a real engagement, the packet is assembled around the systems, data classes, environments, users, locations, subprocessors, access model, decision owners, acceptance gates, incident/escalation path, continuity, offboarding, retention/deletion, commercial terms, and required specialist reviews. A generic website statement never substitutes for that packet.

The packet's evidence-status table uses four states: documented now, available under approved private diligence, required before access, and not held or not applicable. “Available under NDA” appears only when the artifact exists and an authorized owner can actually provide it.

IT Modality does not claim HIPAA certification; HIPAA has no such certification. Healthcare work, if approved, uses HIPAA-trained, BAA-ready processes where the actual arrangement requires them. IT Modality does not claim ISO accreditation, SOC 2 attestation, external penetration-test completion, or blanket legal, regulatory, security, clinical, or procurement approval.

Bring the intended decision, data categories, systems, jurisdictions, access, timeline, and reviewer questions—never patient data, credentials, or confidential files through the public form.

Send a diligence question
Review the subprocessor register
Review healthcare data posture