Services

Automated discovery, classification, and risk-scoring of genetic data assets across your systems. We scan for genomic file types (VCF, FASTQ, BAM, BED, PLINK), map data flows, quantify re-identification risk based on variant density, and produce a Genetic Data Asset Register with jurisdictional compliance mapping.

No existing compliance software can classify genomic data types, assess SNP-level re-identification risk, or distinguish between file formats with different risk profiles. This is a technical problem, not a paperwork exercise.

• Genetic data asset register — what you have, where it lives, what risk it carries
• Re-identification risk quantification (30–80 independent SNPs = unique individual)
• Multi-jurisdictional compliance mapping (HIPAA, MODPA, GINA, NIH GDS, Common Rule)
• Annual monitoring retainer — re-assess as regulations and data assets change

Best for: Academic medical centers, biobanks, NIH-funded research institutions, DTC genetic testing companies, and biotech firms that need to know what genetic data they hold and what rules apply to it.

A single genetic test result can simultaneously be subject to HIPAA, GINA (Titles I and II), MODPA, the Maryland Genetic Information Privacy Act, the Common Rule, and state privacy laws in every jurisdiction where your data subjects reside. These regulations have conflicting definitions of “genetic information,” conflicting consent frameworks, and conflicting de-identification standards.

We design unified compliance programs that resolve these conflicts — operationalizing the rules into data handling procedures, access controls, and consent management workflows. Software engineering, not just policy documents.

• Unified compliance framework spanning all applicable genetic data regulations
• Data handling procedures, access controls, and consent management workflows
• Gap analysis against current practices
• Quarterly regulatory monitoring and program updates as laws evolve

Best for: Clinical genomics laboratories operating across state lines, contract research organizations, health systems launching pharmacogenomics programs, and DTC companies navigating post-23andMe regulatory tightening.

Consent harmonization for multi-site genomic studies is a software engineering problem: tracking provisions across thousands of participants, multiple IRB protocols, and evolving requirements over 10+ year study timescales. Maryland extends the Common Rule to all human subjects research regardless of funding source — catching privately funded research that would be exempt under federal rules alone.

• Consent document analysis against multi-regulatory requirements
• Automated consent tracking systems for longitudinal studies
• Controlled-access infrastructure design enforcing consent-based restrictions
• dbGaP submission support and institutional certification assistance

Best for: NIH-funded investigators, multi-site genomic consortia, academic medical centers, pharmaceutical companies running clinical trials with genomic endpoints.

Specialized incident response for breaches involving genetic data. We quantify re-identification risk for the specific data types compromised, analyze multi-jurisdictional notification requirements (Maryland PIPA: 45 days; HIPAA: 60 days; conflicting law enforcement rules), and plan remediation. Also: proactive genetic data asset protection for M&A and bankruptcy scenarios.

• Bioinformatics-grade re-identification risk assessment for breached datasets
• Multi-jurisdictional notification timeline and content analysis
• M&A genetic data due diligence (MODPA prohibits sale regardless of consent)
• Incident readiness retainer — breach response plan, tabletop exercises

Best for: DTC genetic testing companies, entities acquiring companies with genetic data assets, cyber insurance carriers assessing genomic data risk, and law firms needing technical SMEs.

AI stack audits, model upgrades, prompt engineering, and agent design. We run AI tooling in production ourselves daily and know what works, what breaks, and what the vendors won't tell you. Includes AI training data provenance audits for organizations building models on genomic or biomedical data.

• AI stack audit — what you have, what it costs, what it's actually doing
• AI training data provenance for genomic/biomedical models (FDA, EU AI Act)
• Prompt engineering and agent design for repeatable workflows
• Monthly AI health check retainer

Best for: Organizations using AI tools that need auditing, and companies training AI on biomedical data that need regulatory compliance documentation.

Full-stack development, cloud infrastructure design, API integration, and data pipeline engineering. A decade at VeraChem LLC running high-performance computing for computational chemistry means we're comfortable with demanding, precision-critical software environments.

• Cloud architecture design and migration (AWS, GCP, Azure)
• Backend systems, REST and GraphQL APIs
• Data pipelines and ETL workflows
• HPC and scientific computing infrastructure
• Code review and architecture audits for existing systems

Best for: Technical startups, research organizations, and established companies modernizing legacy systems.

Twenty-plus years hands-on with Linux, networking, VPN configuration, web servers, databases, and CI/CD pipelines. This website runs on a physical server in Frederick County. We practice what we preach.

• Linux server setup, hardening, and ongoing administration
• WireGuard VPN configuration and secure remote access
• nginx, PostgreSQL, and application stack management
• CI/CD pipeline design and implementation
• Backup strategy, disaster recovery planning

Best for: Organizations that need reliable, self-hosted infrastructure managed by someone with deep hands-on experience.

SOC2 Type II and HIPAA-ready virtual datacenter hosted on AWS with a signed Business Associate Agreement. All regulated and client-facing production workloads run here — everything compliant by design. Physical security is offloaded to AWS; we manage the technical control environment.

• IAM Identity Center with enforced MFA and full audit trail
• Serverless containers (Fargate) — no OS patching surface
• Encrypted data at rest (RDS + KMS) with automated SOC2/HIPAA evidence collection
• CloudTrail API logging, AWS Config guardrails, and Audit Manager reporting
• BAA signed via AWS Artifact before any PHI is processed

Best for: Clinical genomics labs, biotech firms, academic medical centers, and federal agencies requiring SOC2, HIPAA, GINA, or FedRAMP-adjacent compliance posture.

Our Frederick County datacenter runs custom-built servers in a low-density configuration that requires no air conditioning and no water cooling — just ambient air. Solar-powered via offsets, with redundant internet connections. This is where we do research, data warehousing, and heavy computation at a fraction of cloud cost, with an ecological footprint most datacenters can't match.

• Zero AC, zero water cooling — ambient air only, extremely low environmental impact
• Solar-powered via renewable energy offsets
• Redundant internet connections for reliable access
• Research computing, data warehousing, development and test environments
• Site-to-site VPN link to AWS — seamless workload promotion from R&D to production

Best for: Development and test environments, non-regulated AI training and experimentation, data warehousing, and clients who want a greener footprint without paying cloud premiums for non-regulated work.