Built to be checked — not taken on faith.

The whole system runs on synthetic data with no protected health information, and automated tests fail the build if a PHI-shaped field ever appears.

An input boundary in code refuses every PHI crossing — its allowed state stays false even with all environment locks set true. The first real crossing is a deliberate, out-of-band approval, never a flag in the repository.

Every consequential action is recorded, keyed by a per-request correlation ID, storing allowlisted metadata only — never request bodies, emails, or tokens.

Permissions are checked on every route by the server, not just hidden in the UI. Tokens are short-lived with rotating refresh; query-parameter token auth is rejected.

A redaction filter is the required last step on the assistant and résumé seams, masking SSNs, emails, phones, labelled MRN/member/policy numbers, and secret shapes — and it fails closed.

The required integration design has your side mint an HMAC-keyed pseudonym before transmission, so raw record numbers never travel to us. This is a contract in our production-PHI plan — the shape we build toward, not yet shipped — so we mark it planned.