Security Questionnaire

Tessara Security & Compliance Questionnaire

Product: Tessara Conformance Monitoring
Version: 2.0
Last Updated: April 2026

1. Architecture & Data Privacy

1.1 How does Tessara handle Protected Health Information (PHI)?

Tessara never accesses PHI. It reads only the FHIR API’s /metadata endpoint (CapabilityStatement), which contains structural information about what resources and operations the API supports — not patient data. The CapabilityStatement is a standard FHIR discovery mechanism that serves the same role as an OpenAPI specification.

1.2 Does Tessara require a Business Associate Agreement (BAA)?

Because Tessara never accesses, processes, or stores PHI, a BAA is typically not required under HIPAA. We only handle structural metadata and compliance verdicts. However, we can provide a standard BAA template if your legal team requires one for added assurance.

1.3 Is Tessara a SaaS or on-premises solution?

Tessara is a local-first, single-binary deployment. It runs as a Go CLI on your infrastructure — Linux, macOS, or Windows. There are no cloud components, no external database servers, and no data egress beyond the HTTP probes to your target API.

1.4 How is data integrity ensured?

All structural baselines are stored as 4-level Merkle hash trees using SHA-256 with RFC 8785 JCS canonical serialization. Every conformance check produces a compliance verdict that is signed using Ed25519 digital signatures and hash-linked to the previous verdict, creating a tamper-evident audit trail.

2. Compliance & Standards

2.1 Which regulatory standards does Tessara support?

Tessara is specifically designed for CMS-0057-F (Interoperability and Prior Authorization) and FHIR R4 conformance monitoring. We support all mandated Implementation Guides (IGs), including:

  • CARIN Blue Button 2.1.0
  • Da Vinci PDex
  • Da Vinci Payer-to-Payer
  • Da Vinci Formulary

2.2 How does Tessara map drift to regulations?

When structural drift is detected, Tessara maps each finding to one of 6 drift categories and references the specific regulatory provision. For example: “CMS-0057-F requires Coverage.subscriberId as MustSupport with min cardinality 1; current API response omits this element (Category 1: Mandatory Element Removal, severity CRITICAL).“

2.3 What is the drift taxonomy?

Tessara classifies all findings into 6 categories:

  1. Mandatory Element Removal (CRITICAL) — required elements absent from API response
  2. Type/Cardinality Change (CRITICAL/HIGH) — data types or cardinality constraints differ
  3. Structural Extension (INFO) — API includes non-specified elements
  4. Auth/Authorization Deviation (HIGH) — security mechanisms differ from spec
  5. Endpoint Behavioral Change (MEDIUM) — structure OK but behavior changed
  6. Spec Version Mismatch (HIGH) — self-reported FHIR version incorrect

3. Deployment & Integration

3.1 What are the system dependencies?

Tessara is a single Go binary with 2 external dependencies (cobra CLI framework + CGo-free SQLite). It requires no sidecars, proxies, containers, or external databases.

3.2 Does Tessara affect API performance?

Tessara performs standard HTTP GET requests to your API’s /metadata endpoint — the same request any FHIR client makes for capability discovery. It does not intercept, mirror, or modify API traffic. Impact on your API is equivalent to a single client request per monitoring interval.

3.3 How is authentication handled?

The Tessara dashboard API uses JWT-based authentication with a configurable API key. TLS is supported via configurable certificate/key pairs. CORS origins are explicitly configured — wildcard origins are rejected in production mode.

3.4 What SSRF protections are in place?

Tessara implements a 3-layer SSRF defense for all outbound API probes:

  1. URL Validation: Parse and reject non-HTTP(S) schemes, empty hosts, and malformed URLs
  2. DNS Resolution Check: Resolve the target hostname and reject any private/loopback IP addresses before connecting
  3. Custom HTTP Dialer: Block connections to private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, ::1) at the network layer

For additional security documentation or to schedule a technical review, contact hello@tessara.us.

DRAFT — counsel review pending. This document is provided for procurement discussion. Final legal terms subject to attorney review and counterparty redlines.