Compliance posture · Conceptual Health®

module validation status across CH systems

AES-256-GCM · encryption at rest FIPS approved

EncryptionManager (iOS Keychain + backend PostgreSQL TDE) · CryptoKit on Apple, OpenSSL FIPS provider on Linux

TLS 1.3 (RSA-2048 / ECDSA-P256) · transport FIPS approved

nginx + Let's Encrypt certs · all *.conceptualhealth.com

HMAC-SHA3-512 (forward) + HMAC-SHA-256 (history) · audit chain signatures, per-row dispatch FIPS approved

AuditLogger · chain-signed audit entries (3,295 entries live)

Argon2id · password hashing SP 800-63B accepted

app/auth/password.py · users.password_hash · 64 MiB memory, 3 iterations

PBKDF2-SHA-256 (250 000 iters) · key derivation FIPS approved

CH Authenticator vault key derivation (browser) · SP 800-132 compliant

RS256 (RSA-2048) · JWT signing FIPS approved

app/auth/jwt_handler.py · session tokens (access + refresh + MFA)

HKDF-SHA-256 · key derivation for device-linking HMAC FIPS approved

DeviceLinkingService · iOS multi-device account linking (per MEMORY.md)

HMAC-SHA-1 (TOTP) · MFA codes RFC 6238 — legacy SHA-1 acceptable for TOTP per NIST SP 800-63B-3

CH Authenticator + GuardianOrb iOS Authenticator · 6-digit, 30s window

upcoming required attestations

SOC 2 Type II AICPA TSC 2017 (rev 2022)	scheduled	Window: H2 2026
HIPAA Security Risk Analysis 45 CFR 164.308(a)(1)(ii)(A)	annual	Q3 2026
FISMA Continuous Monitoring NIST 800-53 Rev 5 / 800-137	continuous	always-on
ONC HTI-1 Real-World Testing 45 CFR 170.523(g)(2)	annual	Q4 2026
Section 508 / WCAG 2.1 AA review 29 USC 794d	biennial	Q2 2027
State emergency powers attestation per-state DOH waiver filings	pending	on declaration

Real-time compliance posture.