VisitLock was designed by people who've sat across the table from a state Medicaid integrity director. The architecture answers the question they actually ask: where does the biometric live, and what happens if you breach?
Every verified visit is signed by the convergence of three independent keys. None of them is the aide's biometric template — that template never leaves the phone.
A keypair generated in the phone's secure enclave at enrollment. Bound to one device, one aide.
A signed geofence assertion. Includes anti-spoof, accuracy, and timing metadata.
An on-device match score. The score is signed. The template is not transmitted.
All three signatures must converge. The result is a cryptographic visit token that an auditor can verify five years later — without ever seeing a face.
Business Associate Agreement standard with every customer. Administrative, physical, and technical safeguards mapped to the Privacy and Security Rules.
Biometric templates are generated and stored on-device, never transmitted to our servers. We don't possess biometric data — so it can't be breached, sold, or subpoenaed from us.
All six required EVV elements captured, plus cryptographic identity binding. Submission directly to state aggregators or via Sandata, HHAeXchange, Tellus, and Therap.
Type I report complete. Type II audit window opened with our auditor of record. Final report expected Q4 2026. Customers under NDA may review the in-progress evidence package.
AES-256 at rest. TLS 1.3 in transit. Mobile keys generated and held in iOS Secure Enclave or Android StrongBox.
All PHI processed and stored in U.S.-region cloud (AWS us-east-1, us-west-2). Multi-region replication with audited disaster recovery.
Architecture diagrams, sub-processor list, penetration test summaries, breach response plan, BAA template, and SOC 2 evidence (under NDA). Sent within 24 hours of request.
Request the Trust Pack →