Secure Coordination · Protocol · Published
This page is the workflow procurement teams ask for when they say “walk us through what actually happens.” NDA sequencing, BAA/DPA pre-conditions, portal provisioning, per-matter file handling, active-engagement cadence, signed delivery, and retention-on-close — published so your vendor-management review can tick through it without waiting on email.
VitaCoreX publishes three procurement-facing pages. Use them together; each answers a different vendor-file question.
Data residency, encryption standards, access model, regulatory boundaries (HIPAA / FDCPA / GLBA), incident response, what VitaCoreX is and is not. The control-surface page.
Open posture page →Named third parties that may process engagement data, their role and jurisdiction, and the DPA clauses we commit to in writing. The vendor-list page.
Open sub-processor list →The step-by-step protocol that ties those controls to a real engagement — NDA first, then BAA/DPA if the matter needs it, then portal, then file exchange, then delivery, then retention. The walkthrough page.
You are hereCoordination starts with a named-contact thread, not a generic inbox. This keeps later controls — access grants, notifications, revocations — tied to a specific person who can sign on your side.
The NDA is the gate to every later step. We keep our template short, mutual, and redline-friendly.
Our mutual-NDA template (two pages, plain-English) is sent to the named contact, or your template is acknowledged and a redline window is set.
Typical redline turnaround is one business day. We accept DocuSign, Adobe Sign, or a PDF with wet-ink signatures from the named contact on each side.
Once the NDA is executed, portal provisioning (Step 4) begins the same business day. The countersigned PDF is returned to your named contact for your file.
Procurement teams with an enterprise NDA template: send yours; we sign your template directly where the terms are reasonable, or we redline once and return.
BAA and DPA are not default-on. They attach when the engagement scope triggers them.
A Business Associate Agreement is executed before any Protected Health Information crosses into VitaCoreX infrastructure. Where a healthcare engagement can be run inside your environment (our preferred pattern), a BAA is not required because PHI does not leave your systems — we operate as authorized personnel under your own HIPAA program.
A Data Processing Addendum attaches to the Master Services Agreement where engagement scope includes GLBA-covered customer data, CCPA / CPRA consumer data, or equivalent state categories. The DPA text is published in summary form on the Sub-processors & DPA page; the full exhibit is countersigned alongside the MSA.
For engagements that do not touch PHI or regulated consumer data — corporate contracts, vendor paperwork, internal recovery workflows — the NDA plus MSA is sufficient. We do not paper in a BAA or DPA where scope does not justify it; doing so would misrepresent what the engagement actually covers.
If scope expands mid-engagement into a category that triggers BAA or DPA, work is paused, the addendum is executed, and work resumes. Scope changes are never quietly absorbed.
The channel we use depends on the engagement’s sensitivity tier. Matched to the work, not marketed as one-size-fits-all.
What happens to a file between the moment you upload it and the moment we deliver the signed output.
Every upload lands in a staging folder inside the engagement’s dedicated space. A checksum (SHA-256) is captured at ingest and stored with the file so tampering would be detectable.
The engagement lead triages uploads against the file manifest, moves accepted items to the working folder, and flags anything missing or out of scope on the thread.
Deliverable drafts live as versioned files (v1, v2, v-final) so the audit trail is preserved. Original source documents are never modified — only copies are worked on.
Deliverables are released with a signed artifact and a manifest listing what was produced, what source files it derived from, and the delivery date. See Step 7 for chain-of-custody detail.
Uploads over 200 MB: we prefer SFTP or a one-time encrypted-link drop rather than email attachments. The staging-folder contract is identical.
Status updates, clarification channel, and change-control expectations during active work.
How signed deliverables leave our environment and land in yours, with an audit trail you can file.
What happens to your files after we deliver — and for how long we stay reachable.
We stay reachable for clarification questions on the delivered artifact for 30 days post-close, on the same named-contact thread, at no additional fee. Files remain in place during this window.
Files move to encrypted cold storage. Access is no longer possible from the engagement portal; retrieval requires a written request from the named contact and an engagement-lead action.
Default: destruction on day 90 after engagement close, unless extended retention is requested in writing. Invoices and tax records retained 7 years per US standard — file contents are not.
A written early-destruction request accelerates the clock to 7 days. A certificate of destruction is issued: files destroyed, method used, date of action, signed by the director.
Where we worked inside your systems, there is nothing on our side to destroy. At engagement close, our access is revoked; the data path was yours throughout.
Post-engagement or mid-engagement compliance questions — data subject requests, breach-coordination, audit assists — route through the director’s line and are acknowledged within one business day.
This page describes the operational reality, not marketing. A few qualifiers procurement should weigh when scoring us against larger vendors.
Open a named-contact thread. The NDA goes out within four business hours, and Steps 1–8 above are executed in the order published. For procurement artifacts (W-9, COI, MSA template, BAA/DPA text), the vendor-onboarding pack ships the same way.
