Deployment Models
Same protocol.
Four shapes.
CH VPN deploys four ways. Each preserves the wire format, the authority protocol, and the audit chain. The shape that changes is who runs the authority and how the network terminates.
Bundled
With the clinical software.
The default for any clinic on Conceptual Healthcare. Patient and clinician clients are pre-provisioned at account creation. The tenant gets an isolated authority slot in CH's managed corporate plane. BAA is covered by the Conceptual Healthcare parent agreement.
Per Clinic
Add-on for independents.
For clinics not on Conceptual Healthcare. Tenant-isolated authority, up to four clinic hub nodes, BAA included. Provisioned by the CH operations team. Audit log is delivered to the clinic's storage on a 24-hour cadence.
Self-Hosted
On-prem authority.
Authority deployed inside the customer's perimeter. Custom rotation policies. Audit chain stored locally. Optional air-gapped operation for sensitive environments. CH provides reference deployment, the customer operates it.
Federal
FIPS 140-3 path.
Validated FIPS crypto module (AES-256-GCM, P-384 ECDH, SHA-384, HKDF-SHA-384). Dedicated authority cluster. FedRAMP roadmap. SOC 2 Type II target Q3 2026. Engagement begins with a security review.
Provisioning
What gets installed.
Each deployment shape installs the same underlying components. The differences are in topology, ownership, and policy.
Operations
What we observe.
Per-tunnel metrics, GlitchTip error stream, HMAC-chained audit log. Operations runbooks ship with every deployment. On-call escalation paths are configured during provisioning.