Security review
Someone sent you this because they want to use ImOnFHIR
What it does
Validates Da Vinci PAS bundles against FHIR standards, washes and compares payloads, and explains how prior-auth interoperability actually works.
What it never has
PHI, user accounts, passwords, tracking cookies, or ad trackers. Just anonymous usage counters (Vercel Analytics) — the data worth stealing does not exist here.
Who runs it
Nick Dugan BSN, RN-BC, CPHIMS — an independent healthcare interoperability engineer. Not a vendor pitch; a working lab.
Whitelist it in three steps
- 01Review the postureThe /security page covers data handling per tool, subprocessors, and vulnerability disclosure.
- 02Allow the domainsFour domains, listed below. Two are ours; two are Vercel's cookie-free analytics. No ad trackers, no font CDNs, no surprise origins.
- 03Email usQuestionnaires, sign-off requests, or questions — one email, prefilled for you. We respond fast.
Domains to allow
A browser using ImOnFHIR contacts exactly these origins:
imonfhir.com www.imonfhir.com va.vercel-scripts.com vitals.vercel-insights.com
- imonfhir.com
- The site, the Lab, and its same-origin APIs
- www.imonfhir.com
- Canonical redirect host
- va.vercel-scripts.com
- Vercel Analytics script (anonymous, cookie-free)
- vitals.vercel-insights.com
- Vercel Web Vitals beacon
Note: validator.imonfhir.com never sees browser traffic — validation requests go same-origin to imonfhir.com, and our servers talk to the sidecar behind Cloudflare Access.
Data handling at a glance
| Surface | Summary |
|---|---|
| Validator | Pasted payloads are processed transiently on our servers (1 MB cap, not persisted or logged). Synthetic or de-identified FHIR only. |
| Washer & Compare | Run entirely in the browser. Pasted payloads never reach ImOnFHIR servers. (Temporarily off on stable production during beta rollout.) |
| Analytics | Anonymous usage counters via Vercel Analytics. No cookies, no identifiers, never payload contents. |
| Accounts | None. There is no login, no user database, and no personal data to store. |
The longer version — including the validator’s server-side path and the full subprocessor list — is on /security.
Submit a request
Whitelisting sign-off, a SIG Lite / CAIQ style questionnaire, or plain questions — send them over and we’ll respond within two business days, usually faster. The button prefills the email so your team only has to fill in the blanks.
Prefer plain email? Write to security@imonfhir.com. Machine-readable contact: /.well-known/security.txt.