Owner: TransTrack founder Last updated: 2026-06-05 Status: Items in this file CANNOT be fully closed in source code. They require contracts, money, or a third-party signature. Track progress against the checklist in §Done-by at the bottom.
Each item has a concrete vendor list, indicative pricing, and an outreach email template. Work through them in the order shown — that is the order in which they block revenue.
Progress as of 2026-06-05
- C-2 — Pending (entity formation required before first paid pilot)
- C-3 — Code and CI pipeline complete; cert purchase pending
- C-4 — Internal security assessment complete (see
docs/security/engagements/2026-06-internal/); third-party pentest vendor RFP issued (target Q3 2026)- C-5 — IQ/OQ/PQ templates and worked examples ready; execution pending pilot site
- C-11 — Insurance quote process to begin after entity formation (C-2)
Hospitals buy from corporations, not individuals. Before you can sign a BAA, accept ACH or a wire, or invoice a customer, you need:
- a registered business entity that can own the IP and sign contracts
- an EIN (US) or equivalent tax ID
- a business bank account
- a vendor domain with TLS-secured email (e.g.
sales@transtrack.health, notTrans_Track@outlook.com) - a
.well-known/security.txtand a public privacy policy URL
| Step | Vendor | Cost | Time |
|---|---|---|---|
| LLC or Delaware C-Corp formation | Stripe Atlas / Clerky / Firstbase / a real lawyer | $500–$1,500 one-time | 1–3 weeks |
| EIN | IRS (free) — Stripe Atlas / Firstbase will file | free | 1–4 weeks |
| Registered agent | Bundled with the formation vendor | $100–$300/yr | included |
| Business bank account | Mercury / Brex / a regional bank | free | 1–3 days |
Domain — transtrack.health |
Cloudflare Registrar / Namecheap | $40–$200/yr | 1 hour |
| Email — Google Workspace | $6–$18 / user / month | 1 hour | |
| Privacy Policy + Terms of Service | Termly / iubenda + lawyer review | $300–$2,000 | 1 week |
| BAA template (you already have one) | docs/compliance/policies/BAA_TEMPLATE.md | $0 — already in repo | 0 |
| Business cyber + GL insurance | see C-11 | see C-11 | see C-11 |
Subject: New software company — formation + tax filings
Hi [Atlas/Firstbase team],
I'm forming a Delaware C-Corp for a healthcare software product that sells to US transplant centers. Please proceed with formation, EIN registration, and a Mercury bank account opening. Founder: [Name]; primary state of operation: [State]. The company will collect protected health information from customers and will execute Business Associate Agreements; please flag any structural recommendations specific to HIPAA-covered SaaS.
Target funding source: bootstrapped initially; expecting first revenue within 90 days. Please send the standard template package.
Thanks, [Name]
The release pipeline (.github/workflows/release.yml) and the
release-readiness gate (npm run release:check:for-sale) already
enforce signed installers. They only run when you push a v*.*.*
tag. The remaining work is to purchase the actual certificates and add
the four required GitHub Actions secrets.
| Cert | Vendor | Cost | Mode |
|---|---|---|---|
| Windows EV Code Signing (Authenticode) | SSL.com eSigner (cloud HSM) | ~$300/yr | TRANSTRACK_SIGN_MODE=ssl_esigner |
| Windows EV Code Signing (USB token) | DigiCert / Sectigo / SSL.com (hardware token) | ~$300–$700/yr | TRANSTRACK_SIGN_MODE=pfx |
| Apple Developer Program | Apple | $99/yr | APPLE_* secrets |
Recommendation: SSL.com eSigner. It's cloud-HSM-backed, eliminates the lost-USB-token nightmare, and works out of the box with the existing CI workflow.
ESIGNER_USERNAME
ESIGNER_PASSWORD
ESIGNER_CREDENTIAL_ID
ESIGNER_TOTP_SECRET
APPLE_ID
APPLE_APP_PASSWORD (app-specific password from appleid.apple.com)
APPLE_TEAM_ID
APPLE_CERT_BASE64 (base64 of your Developer ID Application .p12)
APPLE_CERT_PASSWORD
git tag v1.3.0-rc1
git push origin v1.3.0-rc1If credentials are missing, the preflight job will fail with a clear
error message. If credentials are present, you'll get signed installers
in the GitHub Releases artifact set within ~25 minutes.
Every hospital security questionnaire (HECVAT, SIG, your customer's custom 200-question Word doc) asks "have you had a third-party penetration test in the last 12 months." Saying "no" is an automatic red flag and often a contractual disqualifier.
docs/security/PENETRATION_TEST_SCOPE.md and
docs/security/PENTEST_VENDOR_CHECKLIST.md are already in the repo.
The vendor only needs the scope doc + this README + access to a
non-PHI test environment.
| Vendor | Strengths | Indicative price (1-week eng.) |
|---|---|---|
| Bishop Fox | Tier-1 reputation, strong for healthcare | $30–60k |
| Trail of Bits | Strong on cryptography and binaries | $30–80k |
| NCC Group | Healthcare-savvy, large team | $25–60k |
| Independent Security Evaluators (ISE) | Healthcare + medical-device focused | $20–50k |
| Cobalt.io (PtaaS) | Cheaper, decent quality, gives you a tester crew | $8–25k |
| Synack (PtaaS) | Same idea — continuous, crowd-style | $15–40k |
Recommendation if cash-constrained: Cobalt.io. You can scope a focused 2-week engagement that covers the desktop app + API server for under $15k and walk away with a redacted report you can attach to every RFP. Step up to Bishop Fox once you have enterprise customers paying ≥$100k/yr.
Subject: Penetration test scoping for healthcare desktop application
Hi [vendor],
I'm the founder of TransTrack, a HIPAA-aligned desktop application used by US organ transplant centers. We're commercializing the product and need an external pen-test report we can share under NDA with prospective hospital customers and (later) with SOC 2 auditors.
Scope:
- Electron desktop client (Windows + macOS), ~50 KLOC JS
- Fastify-based API server with FHIR R4 + HL7 v2 MLLP listener
- Postgres 16 backend with row-level security
- SAML 2.0, OIDC, SMART on FHIR v2 integrations
Our published threat model and scope-of-engagement document is at [share docs/security/PENETRATION_TEST_SCOPE.md].
Timeline: ideally a 1-week engagement starting in the next 6 weeks. Deliverable: a redacted executive summary that can be attached to security questionnaires, plus a detailed technical report kept under NDA.
Budget: please quote both a "focused" (web + binary surface only) and "comprehensive" (incl. crypto + supply chain) option.
Thanks, [Name]
Joint Commission-accredited transplant programs are required to validate any clinical system that affects allocation. They will ask for either:
- Vendor-executed validation (your name in the "performed by" box), or
- Vendor-supplied protocols that they execute locally and you countersign
You currently have the templates (docs/compliance/) and
worked examples (docs/compliance/pilot-site-example/) but not a
signed, executed copy.
In the first pilot contract, add the language:
"As part of the pilot, [Hospital] will execute the IQ, OQ, and PQ protocols supplied by TransTrack in good faith, and provide the completed forms to TransTrack within 90 days of go-live. TransTrack retains the right to use the redacted (de-identified) completed protocols as a reference validation package for future sales, provided no patient data is disclosed."
Cost: $0 (you trade discounted pricing for the executed forms). Timeline: 90 days from pilot go-live.
| Vendor | Notes | Cost |
|---|---|---|
| Compliance Architects | Boutique, transplant-experienced | $30–60k |
| Veeva (Vault Validation) | Heavyweight, enterprise-pharma background | $50–100k |
| Independent QA contractor | Find via Healthbox / LinkedIn / referrals | $15–40k |
The consultant signs and dates each step of the protocols against a clean test environment you provision. The result is paper that says "TransTrack v1.x.y has been Installation/Operational/Performance qualified by [firm] for transplant-waitlist management" — and that paper goes into every RFP response.
If you genuinely cannot afford Option B and don't yet have a pilot:
- Spin up a clean Windows VM and a clean macOS VM.
- Install TransTrack from the signed installer (post-C-3).
- Walk through each step in
docs/compliance/pilot-site-example/IQ_PROTOCOL_EXAMPLE.md,OQ_PROTOCOL_EXAMPLE.md,PQ_PROTOCOL_EXAMPLE.md. - Record screen captures, timestamps, and your initials at each step.
- Save the executed PDFs to
docs/compliance/executed/. - Have a clinical advisor (transplant coordinator / surgeon) sign as the "user representative."
This is not as strong as a third-party countersignature but is materially better than "we have templates."
Most hospital procurement contracts include a hard insurance minimum, typically:
- Cyber liability: $1M aggregate
- Errors & Omissions (Tech E&O): $1M aggregate
- General liability: $1M / occurrence, $2M aggregate
Without these, your contract goes to legal and dies on the redline pass.
| Vendor | Strengths | Indicative annual premium (early-stage SaaS) |
|---|---|---|
| Vouch | Startup-friendly, fast online quotes | $2–6k |
| Embroker | Specialty in tech E&O + cyber | $3–8k |
| Coalition | Strong cyber risk underwriting + free scanning | $2–7k |
| Cowbell | Direct, online, simple | $2–5k |
| Aon / Marsh | Brokerage; better for >$10M revenue | varies |
Recommendation: Coalition for cyber + Vouch for E&O. Coalition's underwriting includes free attack-surface monitoring which is a genuinely useful by-product.
- Annual revenue (zero is fine if you're pre-revenue — they'll quote off projected revenue)
- Whether you store / process PHI (yes)
- Whether you encrypt at rest and in transit (yes — point them to
SECURITY.md) - Whether you have MFA on admin accounts (yes — point them to
docs/SSO_DESKTOP.mdanddocs/compliance/HIPAA_SECURITY_RULE_MAPPING.md) - Whether you've had a pen-test in the last 12 months (close C-4 first so you can answer "yes")
- Whether you have a written incident response plan (you do —
docs/compliance/INCIDENT_RESPONSE_PLAN.md... if it's missing, add it before quoting)
Subject: Tech E&O + cyber liability quote — healthcare SaaS
Hi [Vouch / Coalition],
I'm the founder of TransTrack, a HIPAA-aligned desktop application sold to US organ transplant centers. We're approaching first revenue and need:
- Cyber liability: $1M / $1M
- Tech E&O: $1M / $1M
- General liability: $1M / $2M
Quick facts:
- Annual revenue (projected, year 1): [your number]
- PHI processing: yes
- Encryption at rest + in transit: yes
- Admin MFA: yes
- Independent pen-test: [yes after C-4; no before]
- Founders / employees: 1
- Domicile: [state]
Please send a quote and your underwriting questionnaire.
Thanks, [Name]
A buyer evaluating TransTrack should be able to flip through this and mark every line:
- C-2-a Legal entity formed; certificate of incorporation on file
- C-2-b EIN issued (US) or equivalent
- C-2-c Business bank account opened
- C-2-d Vendor domain owned (e.g., transtrack.health)
- C-2-e Workspace email live for sales@, support@, security@
- C-2-f Privacy Policy + ToS published at the vendor domain
- C-3-a EV Code Signing certificate purchased and provisioned
- C-3-b Apple Developer Program enrolled, notarization creds in env
- C-3-c GitHub Actions secrets set for both platforms
- C-3-d Test release tag (
v1.3.0-rc1) successfully signed in CI - C-4-pre Internal security assessment baseline complete (
docs/security/engagements/2026-06-internal/) — 2026-06-05 - C-4-a Pen-test vendor selected, SOW signed (RFP in progress — Cobalt.io, Doyensec, Include Security)
- C-4-b Pen-test executed
- C-4-c Redacted summary report available for diligence
- C-4-d All Critical/High findings remediated; report countersigned
- C-5-a IQ executed and signed (DIY or consultant)
- C-5-b OQ executed and signed
- C-5-c PQ executed and signed
- C-5-d Validation Summary Report (VSR) issued
- C-11-a Cyber liability $1M aggregate bound, COI on file
- C-11-b Tech E&O $1M aggregate bound, COI on file
- C-11-c General liability $1M / $2M bound, COI on file
- C-11-d Master COI added to
docs/legal/insurance/for buyer review
Once every line above is checked, you can ship a customer-ready contract package and answer every standard hospital security questionnaire with real artifacts instead of "we plan to."