Where your data lives, how it is handled, who else touches it, what we are — and what we are not. Published at the level of honesty a vendor-management team can act on, without overstating certifications we do not hold.
VitaCoreX LLC is a US-based firm established 2025. This page is written so procurement can evaluate us accurately — not so we can claim certifications we have not earned. Items marked “on request” are real artifacts we will send to a named procurement contact under mutual NDA.
Where your documents go and how they are protected end-to-end.
How long we keep material, what triggers destruction, and what you receive at the end.
Documents retained for the engagement duration plus a 30-day stabilization window after close. During this window, we remain reachable for clarification questions on deliverables.
Documents scheduled for destruction 90 days after engagement close, unless the operator requests extended retention in writing. Invoices and tax records retained 7 years per US standard.
A written request accelerates destruction to a 7-day clock. Certificate of destruction is issued on completion, listing what was destroyed and the method used.
Where we worked inside operator systems, no destruction action is needed on our side — the operator already controls the data path. Our access is revoked at engagement close.
Third-party services that touch engagement data, stated at the category level. The specific vendor list is shared on vendor-onboarding review or in the MSA.
Change notice: a named procurement contact will receive 30-day written notice before any new sub-processor that touches client data is added.
Exactly which frameworks apply to VitaCoreX, and exactly which ones do not.
VitaCoreX is not a Covered Entity. It is not operating as a Business Associate by default — most healthcare engagements keep Protected Health Information inside the operator’s own environment, with VitaCoreX working in their systems. Where an engagement does require PHI to cross into our environment, a Business Associate Agreement (BAA) is executed before that transfer.
VitaCoreX is not a debt collector as defined by the FDCPA. We do not take assignment of debt, do not collect on our own behalf, and do not engage in collection activity under our name. Pre-collection work is the operator’s own AR — their own documents, their own escalation thresholds, executed under their identity. FDCPA / Reg F / Florida FCCPA are referenced as workflow guardrails, not applicable-statute.
Where an engagement involves financial-customer data under GLBA coverage, VitaCoreX operates under the operator’s Information Security Program and Safeguards Rule implementation, with our staff acting as authorized personnel inside that program.
CCPA / CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah) — data subject requests are routed through the operator, who owns the consumer relationship. VitaCoreX supports the operator’s response and does not receive direct DSR traffic.
VitaCoreX LLC is registered in Florida, operates from Tampa, and follows Florida Consumer Collection Practices Act (FCCPA) as a workflow reference. VitaCoreX is not a licensed consumer collection agency — engagement scope is pre-collection recovery infrastructure, not licensed collection activity.
What happens on day zero, day one, and day fourteen if something goes wrong.
Access isolated, affected engagement data scoped, director notified. No public disclosure until scope is confirmed.
Each operator with data in the confirmed scope receives written notice within 72 hours of incident confirmation, including what happened, what data category was affected, and the current containment state.
Remediation steps executed, root cause documented, post-mortem delivered to affected operators within 14 days. If statutory notification applies (state breach laws), we coordinate with the operator’s counsel on the statutory path.
A tabletop incident-response drill is run annually, stated honestly at our firm size — procurement teams comparing us to a SOC 2 Type II vendor should adjust expectations accordingly.
What we will send to a named procurement contact under mutual NDA within two business days of request.
Published so procurement does not have to guess. If a certification or legal category is not listed here, we do not hold it and will not claim it in an RFP response.
For any item marked “on request” above, open a named-contact vendor-onboarding thread and the artifact pack is sent within two business days under mutual NDA. For engagement-scoping conversations, structured intake is the faster path.
