Built to handle PHI responsibly.

Every case is row-level-security scoped in Postgres: a user can only read or write their own cases, or cases in a facility they belong to. Facility membership is role-based (clinician, coordinator, director, admin), enforced in the database, not just the UI.

All traffic is TLS-encrypted. Case data is stored in Postgres with encryption at rest. Vigil holds no card data — payments run through Stripe.

An append-only, tamper-evident access log records who created, edited, exported, or recorded an outcome on a case, and when. The log cannot be altered or deleted, and is visible to facility administrators. No PHI is stored in the log itself.

When a case grounds a chat answer, only de-identified clinical fields (procedure, age range, ASA, weight) are sent — never name, MRN, or date of birth. PHI is never sent to third-party language models.

The personal OR board is on-device and purges completed cases after 24 hours, holding no PHI. Facility records retain only the perioperative fields needed for the workflow, on a configurable retention schedule.

For facilities handling PHI, Vigil executes a BAA before go-live and operates on BAA-covered infrastructure. SSO and exportable audit reports are available for institutional deployments.