Skip to main content
Security & Privacy

The safest data is data we never store.

Your medical records are the most sensitive thing you own. We built VA Claim Commander so that, in the self-serve tools, we never have to hold them in the first place — and the founder who designed it does security for a living.

We don't keep your records

In the self-serve tools, your uploaded records are parsed in your browser and used to build your documents in your session. They are not persisted on our servers afterward. “Start Over” clears everything. The safest data is data we never store.

Encrypted in transit and at rest

All traffic is encrypted in transit (TLS), and the limited data our infrastructure does hold is encrypted at rest by our hosting and database providers. That's the floor, not the headline — the headline is that we hold as little as possible.

No PII in our logs

We never write your personal or medical information to logs, error reports, or analytics. Diagnostics are scrubbed by design, so sensitive details can't leak through the back door.

Data minimization to the AI

When AI drafts a document, we send it only the specific fields that document requires — never your entire file. Less data moves, so there's less to expose.

When a real provider reviews your records

If you choose Commander Health for a provider-signed nexus letter, a licensed clinician has to actually review your records — so in that workflow your documents are handled server-side. That handling is governed by signed Business Associate Agreements (HIPAA) with our infrastructure providers, the same covered-entity-grade standard a clinic operates under.

In other words: the free self-serve tools are built to never holdyour records; the one path that genuinely needs to — a clinician signing a medical opinion — is wrapped in the strongest agreements available. You always know which one you're in.

Who designed this

A security architect who is also a 100% P&T veteran

Most companies this size, if they're lucky, have a security person somewhere on staff. At VA Claim Commander, security is the founder. Dr. Mike Robertsis a 100% Permanent & Total Air Force veteran who does information security for a living — a PhD in Information Systems Security and a senior security leadership role in the energy sector. He has even taught the material, as a Purdue University Global instructor in cybersecurity (Security+ and CISSP).

Founder credentials

  • • CISSP — Certified Information Systems Security Professional
  • • CISSP-ISSAP — Information Systems Security Architecture Professional
  • • CISM — Certified Information Security Manager
  • • CCIE-Security — Cisco Certified Internetwork Expert

That's why the architecture leads with not collectingyour data rather than just promising to guard it. When the person who designs the system has spent a career on how data gets breached, the first instinct is to make sure there's nothing there to breach.

VA Claim Commander is a verified Veteran-Owned Business, certified by the Texas Veterans Commission (VEP-099193).

“Encrypted at rest” isn't the same as safe

Plenty of tools will tell you they encrypt your data at rest. Read that carefully: it means they're keepingyour records — your whole file, indefinitely — and encrypting the pile. Encryption helps, but a stored hoard of veterans' medical records is still a target, and it's yours held on someone else's server.

We'd rather not hold it. The self-serve tools process what they need and let it go. Nothing to mine, nothing to sell, nothing to leak, nothing to hold hostage if you decide to leave. That's a structural choice, not a marketing line.

Built to be trusted with the hard stuff

Start your claim with tools designed by someone who protects sensitive data for a living — free, and built from your real evidence.

Start my claim →Read the full privacy policy

Not affiliated with or endorsed by the Department of Veterans Affairs. VA Claim Commander is not a VSO, law firm, or accredited representative.