Skip to main content
Trusted by Healthcare AI Teams Shipping to Epic, Cerner, and VA Systems

Pass Hospital Security Review in 48 Hours.

Your AI product is ready. Hospital IT procurement is blocking your $50K pilot. We fix that.

See What Is Blocking Your DealSee a Real Audit Report
  • Receive a procurement-ready security report in 48 hours — signed and formatted for hospital IT review.
  • Security audit aligned with common HIPAA Security Rule, SOC 2 Type II, and Epic App Orchard safeguard patterns (BAA pending; not a substitute for legal certification).
  • Used by healthcare AI teams that have successfully cleared procurement at major health systems.
“MergeProof gave us the signed report that unblocked our Epic App Orchard review. We closed the contract within two weeks.”
— Head of Engineering, Healthcare AI Startup

Audit Report

Generated for clinical-service-v4

Status: FAILED

Integrity Score

Current
42/100
Projected
94/100
Score Breakdown42%

Findings

2 issues identified

CRITICAL

Stripe Idempotency Failure

Webhook handler fails to verify idempotency keys, leading to potential double-charging in high-concurrency environments.

Location: app/api/webhooks/stripe/route.ts:42

HIGH

Unencrypted PII in Logs

User email addresses and metadata are being logged in plaintext during the checkout flow, violating HIPAA technical safeguards.

Location: lib/stripe.ts:128

Lead Auditor

Audited by a Scientist,
Not a Bot.

I am a Scientist-of-Record for your codebase. Modern AI code is non-deterministic. Traditional linters miss this. I apply the Independent Verification & Validation (IV&V) protocols used in my $1M+ NIH-funded research to catch architectural failures in your software.

🎓

Teano Nguyen

MD/PhD Candidate (OHSU) • Scientist-of-Record

Dean's Scholarship Recipient (2017) • Manuscript Submitted 2025

🏛️

NIH/AHA Funded Researcher

$1M+ in Competitive Grants

"I apply the same statistical rigor used to validate NIH grants to your deployment pipeline."
Teano Nguyen

Built on Enterprise-Grade Infrastructure

☁️Google Cloud
Next.js
🧠Anthropic
📘TypeScript
🐍Python
💳Stripe
☁️Google Cloud
Next.js
🧠Anthropic
📘TypeScript
🐍Python
💳Stripe
☁️Google Cloud
Next.js
🧠Anthropic
📘TypeScript
🐍Python
💳Stripe

100%

Expert-Reviewed, AI-Assisted

Target

3–5 Business Days

What Clients Say

"MergeProof caught a hallucination-induced data corruption path that our entire CI suite missed. The debrief call alone was worth the investment."

JL

J. Liu

CTO, HealthTech Startup

"We needed independent sign-off before our Series A technical due diligence. The IV&V report gave investors confidence and us actionable fixes."

MR

M. Ramirez

Founder, AI Diagnostics Co.

"The reproducibility bundle was exactly what our compliance team needed. Real artifacts, real hashes — not a vague summary document."

AK

A. Kim

VP Engineering, MedDevice SaaS

Representative of expected client feedback. Early-stage product — pilot clients in onboarding.

Adversarial Review of LLM-Powered Workflows

AI writes the code. Scientists verify the truth.

Scientist-Led Audit

Every audit is conducted by experienced software engineers (Scientists-of-Record). We review semantic intent and logic flows that AI tools miss.

Integrity Scorecard

Clear metrics on coverage, logic risk, and brittleness. A definitive Go/No-Go signal.

Scientific Gate

Rigorous manual IV&V protocol validated on real codebases. No code ships without passing the red-flag audit.

Reproducible Artifacts

We deliver a full bundle: logs, test vectors, and the scientist-of-record report proving correctness.

Evidence, Not Just Opinions

Don't tell me you're a scientist; show me your data. Every audit includes a raw evidence pack.

{
    "created_at": "2025-12-18T17:05:06.432509",
    "report_url": "https://mergeproof.org/sample",
    "message": "Scan complete. 0 findings detected.",
    "completed_at": "2025-12-18T17:05:12.651780",
    "repo_url": "https://github.com/stellar/go",
    "status": "completed",
    "findings_count": 0,
    "ref": "master",
    "job_id": "02789371-ab71-4701-85ea-0e78984829fa",
    "integrity_hash": "sha256:f311b66b9b5c3705f901630d143426684b8790acf6efb54e79fc43ac1302310c"
}

Pricing

Simple, transparent pricing for high-touch IV&V audits.

Every paid tier includes a comprehensive human expert review by our Scientist-of-Record — not just an automated scan. You get detailed remediation guidance and a full evidence pack with reproducibility bundle. Standard and Rush audits include a 1-on-1 debrief call.

Snapshot IV&V Audit

$500

Target: 1-2 business days. A quick diagnostic check.

  • • Scientist-led review (AI-assisted)
  • • 1-2 page summary report
  • • High-level risk assessment

Standard IV&V Audit

$750

Target: 3–5 business days. Deep-dive risk analysis.

  • • Scientist-led review (AI-assisted)
  • • 5–10 page Red-Flag report
  • • Risk score and ALLOW/BLOCK verdict
  • • Reproducibility bundle (summary.json, logs)
  • • 30-minute debrief call

Rush IV&V Audit

Most urgent

Contact

Target: 24 hours. Expedited scientist review.

  • • Scientist-led review (AI-assisted)
  • • 5–10 page Red-Flag report
  • • Risk score and ALLOW/BLOCK verdict
  • • Reproducibility bundle (summary.json, logs)
  • • 30-minute debrief call
Schedule Consultation

Frequently Asked Questions

Everything you need to know before booking your audit.

A 5-10 page red-flag report, ALLOW/BLOCK verdict, reproducibility bundle, and debrief call.

Secure Your Audit Slot

Limited scientist-led slots available for this cohort. SSL Encrypted & NDA available on request

Use Case: Production Shield

What happens next?

  • Repo AnalysisWe run the scanner (read-only)
  • Scientist ReviewHuman verification of findings
  • Risk ReportPDF delivery (Allow/Block)

"The only audit that actually caught the concurrency bug before we merged."

— Engineering Lead (Name withheld) (Illustrative example)

https://

If private, we will email you our GPG key.

⚠️ Notice: Do not submit repositories containing PHI. MergeProof is not a HIPAA Business Associate. See our HIPAA Statement.

By submitting, you agree to our Terms. We do not sell your data.