Pharos Auditor

Legal & Trust

Security Overview

Last reviewed: April 2026

Pharos Auditor is built to the same "gold standard" HIPAA posture as Pharos One. This page summarizes the controls most frequently requested during security review. For the full internal documentation set — HIPAA Policies, Risk Assessment, Failover Runbook, Pen-Test Schedule, Rotation — contact security@pharosventures.io under NDA.

Infrastructure

  • Google Cloud, us-central1 primary with us-east1 DR replica.
  • Cloud SQL PostgreSQL 15, private-IP only, regional HA, 30-day backups + 7-day PITR.
  • Cloud Run with INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER — no direct *.run.app access.
  • Memorystore Redis (HA tier, auth enabled) on the same private VPC.
  • Google Cloud BAA signed; covers Cloud Run, Cloud SQL, GCS, Vertex AI, Cloud Logging, Secret Manager.

Identity & access

  • Azure AD SSO with enforced MFA (TOTP or WebAuthn).
  • JWT-based sessions, 8-hour inactivity timeout, CSRF-safe same-site cookies.
  • Six role grades (CAE, Audit Manager, Senior, Staff, Viewer, External Reviewer) enforced at middleware and handler.
  • Account deprovisioning: Azure AD disable event fires an HMAC-signed webhook that revokes every active session within seconds.
  • Brute-force protection: rate limit + lockout after 5 failures in 15 minutes.

Data protection

  • TLS 1.2+ on every external endpoint (managed certificate).
  • Google-managed AES-256 encryption at rest by default; CMEK-ready via Terraform flag.
  • Application-layer PHI encryption on sensitive fields (AES-128-CBC + HMAC-SHA256, PBKDF2-derived key from SECRET_KEY).
  • Postgres Row-Level Security on every orgId table with FORCE ROW LEVEL SECURITY — the app user cannot bypass.

Network

  • Cloud Armor WAF: OWASP Top 10 rules, US-only geo-fence, 100 req/min/IP edge throttle.
  • Egress restricted to private ranges via VPC connector.
  • No public database or Redis exposure.

Audit & monitoring

  • Every PHI-touching action written to an append-only Postgres table (pharos_audit_log) with a trigger rejecting UPDATE/DELETE.
  • Every audit event also mirrored to Cloud Logging, routed to a Bucket-Lock'd GCS bucket with 7-year immutable retention — tamper-evident even against project owners.
  • Cloud Monitoring uptime checks + log-based alerts on failed logins, bulk exports, privilege escalations.

AI safety

  • All Claude calls go through Vertex AI (BAA-covered). The direct Anthropic API is disabled in production (FORCE_VERTEX=true; callAria fails closed if Vertex is unreachable).
  • Every Aria output is flagged aiGenerated: true in the database and surfaced in the UI.
  • Peer-AI consultations across Pharos products are consent-gated per request.

Testing & validation

  • Annual external network + authenticated application pen test.
  • Continuous dependency scan (npm audit --audit-level=high hard-fails CI).
  • Weekly CIS GCP benchmark via Security Command Center.
  • DR promotion drill every 6 months. RPO ≤ 5 min, RTO ≤ 15 min.

Attestations

  • SOC 2 Type I: in progress (target Q4 2026). Type II to follow.
  • HIPAA: BAA available on request for Business Associate customers.
  • ISO 27001: roadmap; not currently certified.

Responsible disclosure

Report vulnerabilities to security@pharosventures.io. We commit to acknowledgement within 48 hours and a remediation plan within 7 days for critical findings.