Security & Compliance | VitaCoreX LLC

Section 1

Data handling.

Where your documents go and how they are protected end-to-end.

Data residency: US-only; All client data stored in US-based infrastructure
In-transit encryption: TLS 1.2+; All document transfer, API, and portal traffic
At-rest encryption: AES-256; Applied to stored documents and backups
Access model: Role-based + MFA; Named-user access, MFA required, activity logged

Engagement-level isolation: each client matter lives in a dedicated folder hierarchy with explicit access grants — not in a shared pool.
Operator-environment preferred: where an engagement’s sensitivity warrants it, VitaCoreX operates inside the operator’s own systems (no data leaves their environment).
No sale, sharing, or secondary use of client data. Engagement artifacts are used for engagement delivery only.
Production access is limited to the director and the specific engagement lead assigned to the matter.

Section 2

Retention and destruction.

How long we keep material, what triggers destruction, and what you receive at the end.

Active engagement: Documents retained for the engagement duration plus a 30-day stabilization window after close. During this window, we remain reachable for clarification questions on deliverables.
Post-engagement (standard): Documents scheduled for destruction 90 days after engagement close, unless the operator requests extended retention in writing. Invoices and tax records retained 7 years per US standard.
Early destruction on request: A written request accelerates destruction to a 7-day clock. Certificate of destruction is issued on completion, listing what was destroyed and the method used.
Operator-environment engagements: Where we worked inside operator systems, no destruction action is needed on our side — the operator already controls the data path. Our access is revoked at engagement close.

Section 3

Sub-processor posture.

Third-party services that touch engagement data, stated at the category level. The specific vendor list is shared on vendor-onboarding review or in the MSA.

Cloud storage and document hosting — US-based provider, SOC 2 Type II where available.
Email and transactional messaging — US-based provider with DKIM/SPF/DMARC enforcement.
Analytics and site performance — privacy-first configuration; no PII passed to analytics.
Payment processing — invoice-level only; payment cards are not stored by VitaCoreX.
AI-assisted workflow tooling (where enabled by engagement) — processing inside contracted enterprise plans; no training on client data.

Change notice: a named procurement contact will receive 30-day written notice before any new sub-processor that touches client data is added.

Section 4

Regulatory boundaries.

Exactly which frameworks apply to VitaCoreX, and exactly which ones do not.

HIPAA

VitaCoreX is not a Covered Entity. It is not operating as a Business Associate by default — most healthcare engagements keep Protected Health Information inside the operator’s own environment, with VitaCoreX working in their systems. Where an engagement does require PHI to cross into our environment, a Business Associate Agreement (BAA) is executed before that transfer.

FDCPA (Fair Debt Collection Practices Act)

VitaCoreX is not a debt collector as defined by the FDCPA. We do not take assignment of debt, do not collect on our own behalf, and do not engage in collection activity under our name. Pre-collection work is the operator’s own AR — their own documents, their own escalation thresholds, executed under their identity. FDCPA / Reg F / Florida FCCPA are referenced as workflow guardrails, not applicable-statute.

GLBA

Where an engagement involves financial-customer data under GLBA coverage, VitaCoreX operates under the operator’s Information Security Program and Safeguards Rule implementation, with our staff acting as authorized personnel inside that program.

State privacy laws

CCPA / CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah) — data subject requests are routed through the operator, who owns the consumer relationship. VitaCoreX supports the operator’s response and does not receive direct DSR traffic.

Florida-specific

VitaCoreX LLC is registered in Florida, operates from Tampa, and follows Florida Consumer Collection Practices Act (FCCPA) as a workflow reference. VitaCoreX is not a licensed consumer collection agency — engagement scope is pre-collection recovery infrastructure, not licensed collection activity.

Section 5

Incident response.

What happens on day zero, day one, and day fourteen if something goes wrong.

Hour 0–24: Containment and initial scope
Access isolated, affected engagement data scoped, director notified. No public disclosure until scope is confirmed.
Hour 24–72: Written notice to affected operators
Each operator with data in the confirmed scope receives written notice within 72 hours of incident confirmation, including what happened, what data category was affected, and the current containment state.
Day 3–14: Remediation and post-mortem
Remediation steps executed, root cause documented, post-mortem delivered to affected operators within 14 days. If statutory notification applies (state breach laws), we coordinate with the operator’s counsel on the statutory path.
Annual: Tabletop exercise
A tabletop incident-response drill is run annually, stated honestly at our firm size — procurement teams comparing us to a SOC 2 Type II vendor should adjust expectations accordingly.

Section 6

Procurement artifacts.

What we will send to a named procurement contact under mutual NDA within two business days of request.

IRS Form W-9 (signed, current year)
Certificate of Insurance (COI), with additional-insured language available on request
Mutual non-disclosure agreement, our template or redline of yours
Master Services Agreement template (our standard, with negotiable sections identified)
Data-handling attestation, signed, matching the posture on this page
Specific sub-processor list with vendor names and their current SOC reports where applicable
Reference contacts from comparable engagements, under operator permission
Business Associate Agreement (BAA), where a healthcare engagement requires PHI in our environment

Section 7

What VitaCoreX is not.

Published so procurement does not have to guess. If a certification or legal category is not listed here, we do not hold it and will not claim it in an RFP response.

Not SOC 2 certified. A firm our size and age does not have a completed SOC 2 Type II audit, and claiming one would be a false statement. Our posture on this page maps to SOC 2 control areas procurement can score against.
Not ISO 27001 certified. Same reasoning.
Not HITRUST certified. Same reasoning.
Not a HIPAA Covered Entity. Where PHI handling is required, a BAA is executed and scope is tightly defined.
Not a debt collector under the FDCPA. No assignment, no own-name collection activity.
Not a law firm. Legal strategy and legal advice remain with licensed counsel. This is a standing disclosure on every VitaCoreX page.
Not an auditor, CPA firm, or licensed financial advisor. Engagement scope is workflow, documentation, and operational discipline — not attestation, tax advice, or investment advice.

Ready to evaluate us for vendor onboarding.

For any item marked “on request” above, open a named-contact vendor-onboarding thread and the artifact pack is sent within two business days under mutual NDA. For engagement-scoping conversations, structured intake is the faster path.

Request vendor onboarding pack Open structured intake