Vendor Risk & Security

Honest answers to vendor stability and security questions

Company Stage Transparency

Tessara is a pre-revenue startup currently in pilot phase. We're transparent about this stage because we believe honesty builds trust with healthcare compliance buyers.

Risks

  • Vendor stability (early-stage company)
  • No SOC 2 certification yet (Type I engagement begins with first pilot revenue, target Q3 2026)
  • Limited customer references

Benefits

  • Direct influence on product roadmap
  • Pilot-phase pricing (significant discount)
  • White-glove support during pilot

Vendor Risk Mitigation Strategies

What if Tessara shuts down?
On-Premises Protection: Enterprise customers can deploy Tessara on-premises, eliminating vendor dependency for core monitoring functionality. Your data never leaves your infrastructure. Source Code Escrow: Enterprise contracts include source code escrow provisions. If Tessara ceases operations, you receive full source code to maintain the system independently. Evidence Chain Portability: All conformance verdicts and evidence chains are stored in industry-standard SQLite format. You can export your complete audit trail at any time. No vendor lock-in for historical data. Zero External Dependencies: Tessara is a single Go binary with no cloud service dependencies. If we shut down, your on-premises deployment continues operating independently.
What's your current company stage?
Tessara is a pre-revenue startup currently in pilot phase. We're working with select healthcare payers to validate the product before broader market launch. Our technical implementation is production-grade:
  • 81.2% test coverage across 309 tests (0 failures)
  • Live-tested against 146 FHIR resource types (HAPI FHIR server)
  • 16 Category-1 drift findings detected in production data
  • Ed25519 cryptographic signatures for verdict integrity
We're early-stage as a company, which comes with both risks (vendor stability) and benefits (direct influence on product roadmap, pilot pricing).
What compliance certifications do you have?
Planned (engagement begins at first pilot revenue):
  • SOC 2 Type I audit — Type I engagement begins with first pilot revenue (target Q3 2026); Type II observation begins immediately after Type I report issuance
  • HIPAA — Tessara operates a zero-PHI architecture (no PHI in product). BAA template available for procurement; Business Associate status reviewed case-by-case
Current Security Posture:
  • TLS 1.3 encryption for all data in transit
  • Ed25519 digital signatures for verdict integrity
  • SHA-256 Merkle trees for evidence chain verification
  • No PHI processing (metadata only: endpoint URLs, resource types, field names)
  • On-premises deployment option (no cloud dependency)
  • Air-gapped deployment supported for Enterprise customers
We're actively pursuing compliance certifications and will update this page as they're achieved.
How do you handle security vulnerabilities?
We maintain a responsible disclosure policy at security@tessara.us. Security issues are prioritized and patched within 48 hours for critical vulnerabilities. All customers are notified of security updates via email. Vulnerability Severity Classification:
  • Critical: Patch within 24 hours, emergency notification
  • High: Patch within 48 hours, email notification
  • Medium: Patch within 7 days, next release notes
  • Low: Patch within 30 days, next release notes
What data do you collect?
SaaS Deployment:
  • FHIR endpoint URLs (e.g., https://example.org/fhir)
  • Resource type names (e.g., Patient, Claim, Coverage)
  • Field names and cardinality constraints (e.g., "name" field required)
  • Drift findings metadata (category, severity, regulatory citation)
  • No patient health information (PHI)
  • No authentication credentials (you provide API keys via environment variables)
On-Premises Deployment:
  • Zero data leaves your infrastructure
  • All evidence chains stored in your SQLite database
  • No telemetry, no phone-home behavior
Can I audit the source code?
Yes. Enterprise customers receive source code access for security audits. We support:
  • White-box security assessments (full source code review)
  • Penetration testing against on-premises deployments
  • Third-party security audits (NDA required)
Tessara is built in Go with zero external dependencies beyond the Go standard library and SQLite. The entire codebase is ~5,000 lines of code, making it feasible to audit.
What's your disaster recovery plan?
SaaS Customers:
  • Daily encrypted backups to AWS S3 (multi-region)
  • Point-in-time recovery within 15 minutes
  • RTO (Recovery Time Objective): 1 hour
  • RPO (Recovery Point Objective): 24 hours
On-Premises Customers:
  • You control backups (SQLite database file)
  • Evidence chain export available at any time
  • Binary is stateless (easy to redeploy)

Security & Compliance Status

SOC 2 Type I

Engagement begins with first pilot revenue

Target: Q3 2026

HIPAA Posture

Zero-PHI architecture; BAA template available

See /compliance for details

TLS 1.3 Encryption

All data in transit

Enabled

On-Premises Option

No cloud dependency

Available now

Ed25519 Signatures

Cryptographic verification

All verdicts signed

Source Code Escrow

Enterprise contracts

Available now

Questions Not Answered Here?

If you have vendor risk or security questions not covered on this page, please reach out. We're committed to transparent communication with prospective customers.

Ask a Security Question View Pricing