VETDECK // COMPLIANCE
VetDeck compliance
For veterinary clinic operators. What we ship, what is available on request, and what we explicitly do not claim.
VetDeck is a veterinary practice management product. HIPAA does NOT apply to animal-only data, but if the practice captures human PHI tied to a medical claim (owner phone for medical follow-up, etc.) we treat that field as PHI and route it through the BAA-protected path.
Scope of data
What this product processes when you operate it as intended:
- Animal records (species, breed, weight, vaccination history)
- Owner contact info
- Appointment reminders and recall messaging
- Invoice and payment metadata (via Stripe)
Animal-data scope
Veterinary records do not fall under HIPAA, but state veterinary boards regulate retention and confidentiality.
- Records retained at least 3 years (typical state minimum) and configurable up to 10.
- Controlled-substance log fields (DEA-tracked drugs) are immutable by application policy; tampering surfaces in the audit log.
- Vaccination certificates exportable as signed PDFs for licensing/board inspections.
Access control
Workspace isolation, MFA, and password-reset hygiene apply across all tiers.
- Workspace data scoped by row-level checks; admin operations require an MFA-backed session.
- Engineering production access is hardware-key MFA, ticketed, and logged.
- Account password reset round-trips email + invalidates all prior sessions.
Transport + monitoring
What every customer gets, every product, by default.
- TLS 1.2+ everywhere, HSTS preload-eligible (`max-age=31536000; includeSubDomains; preload`).
- Edge rate-limiting on auth, intake, quote, onboarding, and global write-quotas (caddy-ratelimit).
- Synthetic monitor every 5 minutes; two-strike paging on Telegram + SMS.
PCI-DSS (SAQ-A scope)
Because card data is fully outsourced to Stripe-hosted forms, we are scoped under SAQ-A — the minimum-scope self-assessment questionnaire. We do not maintain a Cardholder Data Environment.
- Card data never touches our servers — we use Stripe Checkout and the Stripe Customer Portal.
- Stripe webhook signatures are HMAC-verified server-side with a per-endpoint signing secret.
- Subscription billing, dunning, refunds, and tax run inside Stripe; we never store full PANs or CVVs.
Privacy + consumer rights
Any individual whose data we process can request access, correction, or deletion at support@brainiacstechsolutions.com. We honor the Global Privacy Control (GPC) signal as a CCPA/CPRA opt-out automatically.
- California (CCPA/CPRA): access, deletion, correction, opt-out of sale/share, limit-use of sensitive PI. We do not sell or share data for cross-context behavioral advertising.
- EU/UK (GDPR/UK-GDPR): access, rectification, erasure, restriction, portability, objection. DPA available at /dpa.
- Breach notification: 45 CFR §164.404 (HIPAA), Cal Civ §1798.82, GDPR Art. 33/34.
- Retention windows disclosed in /privacy.
Accessibility (WCAG 2.1 AA target)
We target WCAG 2.1 AA on all customer-facing surfaces and run an automated axe-core audit on every release. The audit currently passes 0 serious/critical findings across the public marketing pages.
- Skip-to-content link on every page.
- Keyboard-navigable forms with visible focus rings.
- Honors prefers-reduced-motion on transition components.
- Automated axe-core CI gate (bin/audit-a11y.ts) blocks regressions.
What we do not claim or provide
We list these explicitly so there is no ambiguity:
- We are NOT a controlled-substance prescribing platform.
- We do NOT submit pet-insurance claims to carriers; this is on roadmap.
- We do NOT replace your obligation to your state veterinary board for record-keeping; we facilitate it.
Resources
Questions? Email sales@brainiacstechsolutions.com with subject "VetDeckcompliance". For BAA requests, use subject "BAA request" and include your legal entity name.