Trust Center

Everything a procurement reviewer, compliance officer, or auditor would ask about Tessara — in one place. Updated as we change.

Trust at a glance

Architecture

Metadata-only. No PHI touches Tessara infrastructure.

HIPAA architecture →

Continuous evidence

Audit-log hash chain. Signed verdicts. Independently re-verifiable.

FHIR alignment matrix →

Independence

No platform-vendor entanglements. Patent-pending detection methodology — Tessara doesn't resell another vendor's stack.

Open methodology

Drift detection methodology published. Re-runnable by any third party against the same public FHIR endpoints.

Drift Index Q3 2026 →

Sub-processor list

Tessara discloses every external service that processes customer data or supports our production stack. This list updates within 5 business days of any sub-processor change. Tessara does not warrant third-party compliance posture — each vendor's Trust portal link below points to that vendor's own authoritative disclosure.

Processor
Purpose
What it touches
Region · Trust portal
Vercel
Website + dashboard hosting
Marketing-site HTTP requests, dashboard SSR (no PHI; verdict metadata only)
United States Trust portal →
Cloudflare
CDN, DNS, and Turnstile bot-verification
Edge-cached static content + contact-form challenge verification
Global edge Trust portal →
Upstash
Serverless Redis for rate-limiting
Per-IP request counters for the contact form and mock auth endpoints (no message content stored; counters only)
United States Trust portal →
Resend
Transactional email delivery
Outbound contact-form notifications + sender-domain DNS
United States Trust portal →
GitHub
Source repository hosting
Codebase only — no production data, no customer data
United States Trust portal →
Plausible Analytics
Privacy-first marketing-site analytics
Anonymized page-view counts for tessara.us only. No cookies, no cross-site tracking, no PII. Dashboard pages excluded.
European Union Trust portal →
Google Analytics
Marketing-site analytics (campaign attribution)
Aggregated tessara.us traffic patterns. No PHI; product dashboard pages excluded from instrumentation.
United States Trust portal →
modernc.org/sqlite
Embedded SQLite driver (pure-Go)
In-process database driver; no external network calls
N/A (in-process library) In-process library (no service)

More to be added as Tessara onboards integrations. Tessara will update this list within 5 business days of any sub-processor change. Material changes (new region, new data category) trigger advance notice to contracted customers per the DPA.

Security artifacts

  • /.well-known/security.txt — RFC 9116 vulnerability disclosure policy and security contact.
  • /compliance — HIPAA compliance architecture, SOC 2 posture, FHIR alignment matrix.
  • /about/vendor-risk — vendor-risk and on-premises deployment details.
  • /resources/procurement — procurement packet (executive summary, security questionnaire, DPA template).
  • DPA template — Data Processing Agreement. BAA available on Enterprise contracts (request via security@tessara.us).

Status

Public status page is being provisioned ahead of first pilot. In the interim, report incidents to security@tessara.us — acknowledgement target is one business day.

Security inquiries

Need a specific certification, a custom DPA, or to file a coordinated disclosure? Reach the security team directly.

Contact security team Open procurement packet