Trust
Vendor Readiness Register
Review the decision, evidence, boundaries, and next step for this route.
ForPeople conducting policy, privacy, security, or access review
FocusControls, ownership, evidence, and review paths
CONTROL RECORD
A policy names its scope, evidence state, limit, and correction path.
- 01Scope
- 02Owner
- 03Evidence state
- 04Review / correct
operating · not an approved production vendor
Start a procurement conversation
Review security and data handling
Table — scroll horizontally to review every column.
| Evidence family | Current state | What can be reviewed now |
|---|---|---|
| Company identity and public policies | Documented for review | Approved name/domain, privacy, cookies, accessibility, disclosures, contact paths |
| Delivery method and quality gates | Documented for review | How-we-work method, calibrated delivery specimen, current quality policy |
| Security and data posture | operating / scope-dependent | Public posture, no-production-provider register, current access and healthcare-data standards |
| Insurance, tax, banking, contracting, sanctions, and jurisdiction records | Controlled diligence record | Supplied through the authorized diligence path when relevant to the engagement |
| External certifications, attestations, penetration tests, and client audits | Not held or not performed | No current SOC 2, ISO certification, HIPAA certification, client audit, or production penetration-test claim |
| BAA, DPA, subprocessors, hosting, data regions, retention, and incident commitments | Scope-specific diligence | The signed scope and data-flow record identify the applicable providers, regions, retention, and incident duties |
One scope, one accountable evidence set.
For a real engagement, the packet is assembled around the systems, data classes, environments, users, locations, subprocessors, access model, decision owners, acceptance gates, incident/escalation path, continuity, offboarding, retention/deletion, commercial terms, and required specialist reviews. A generic website statement never substitutes for that packet.
The packet's evidence-status table uses four states: documented now, available under approved private diligence, required before access, and not held or not applicable. “Available under NDA” appears only when the artifact exists and an authorized owner can actually provide it.
IT Modality does not claim HIPAA certification; HIPAA has no such certification. Healthcare work, if approved, uses HIPAA-trained, BAA-ready processes where the actual arrangement requires them. IT Modality does not claim ISO accreditation, SOC 2 attestation, external penetration-test completion, or blanket legal, regulatory, security, clinical, or procurement approval.
Bring the intended decision, data categories, systems, jurisdictions, access, timeline, and reviewer questions—never patient data, credentials, or confidential files through the public form.
Send a diligence question
Review the subprocessor register
Review healthcare data posture