CSx - Compliance and Security (Qualification Gate)
- Draft date: March 5, 2026
- RFP: VNA Meals on Wheels 2.0
- Proposing entity: 3Wrkz, LLC
- Scope in this artifact: CS1, CS2, CS3, CS4, and CS5 only
Executive Summary
3Wrkz's proposed approach is aligned to the compliance and security expectations defined in the Qualification Gate. Based on the current proposal direction and documented Azure-oriented architecture, 3Wrkz is prepared to satisfy the listed requirements through a combination of contractual commitments, platform controls, and implementation practices appropriate for a HIPAA-regulated environment.
CS1 Requirement (from Qualification Gate tab)
Proposer is willing and able to execute a HIPAA Business Associate Agreement (BAA) with VNA prior to any access to protected health information (PHI).
CS1 Position
In the Qualification Gate matrix, CS1 is marked as Complies (x). 3Wrkz confirms its willingness and ability to execute a HIPAA Business Associate Agreement (BAA) with VNA before any access to protected health information (PHI). We are prepared to review and execute VNA's standard BAA form.
CS1 Final Submission Guidance
The final submission explicitly states that 3Wrkz will execute a HIPAA BAA with VNA prior to accessing PHI and is prepared to use VNA's standard BAA form.
CS2 Requirement (from Qualification Gate tab)
The proposed solution's hosting infrastructure holds current SOC 2 Type II attestation, or the proposer will achieve SOC 2 Type II attestation within 12 months of contract execution. If using a major cloud provider (Azure, AWS, GCP), the provider's SOC 2 attestation satisfies this requirement for infrastructure; the application layer must still meet security controls.
CS2 Position
In the Qualification Gate matrix, CS2 is marked as Complies (x). 3Wrkz confirms that the proposed hosting and security model can satisfy this requirement, including the distinction between infrastructure attestation and application-layer control responsibilities.
CS2 Alignment Note
The current proposal materials reflect an Azure-based hosting and integration approach. Under the Qualification Gate language, a major cloud provider's SOC 2 Type II attestation addresses the infrastructure portion of the requirement, while application-layer controls remain within the solution delivery scope.
CS2 Final Submission Guidance
The final submission explicitly states that the proposed solution will be hosted on Microsoft Azure, which holds current SOC 2 Type II attestation, satisfying the infrastructure requirement. Additionally, 3Wrkz commits to implementing robust application-layer security controls appropriate for a HIPAA-regulated environment, including role-based access control (RBAC), data-at-rest encryption, and comprehensive audit logging.
CS3 Requirement (from Qualification Gate tab)
The vendor must demonstrate or contractually commit that the proposed solution encrypts (or will encrypt upon deployment) all data at rest and in transit using industry-standard encryption (AES-256 or equivalent for data at rest; TLS 1.2+ for data in transit).
CS3 Position
In the Qualification Gate matrix, CS3 is marked as Complies (x). 3Wrkz confirms that the proposed solution will implement encryption controls for data at rest and data in transit in accordance with the stated requirement.
CS3 Final Submission Guidance
The final submission explicitly states that 3Wrkz contractually commits that the proposed solution will encrypt all data at rest using AES-256 (via Azure SQL Transparent Data Encryption and Azure Storage encryption) and all data in transit using TLS 1.2+ across all API and web endpoints.
CS4 Requirement (from Qualification Gate tab)
The vendor must demonstrate or contractually commit that the proposed solution supports (or will support upon deployment) deployment on Microsoft Azure or is fully compatible with VNA's existing Azure cloud infrastructure.
CS4 Position
In the Qualification Gate matrix, CS4 is marked as Complies (x). 3Wrkz confirms that the proposed solution approach supports deployment on Microsoft Azure and is designed to align with VNA's Azure cloud environment.
CS4 Alignment Note
The current proposal set reflects an Azure-based implementation pattern, including Azure-hosted application components and Azure Functions integration points.
CS4 Final Submission Guidance
The final submission should include a concise Azure deployment statement and confirm compatibility with VNA's Azure infrastructure expectations.
The final submission explicitly states that the proposed MOW 2.0 solution will be deployed on Microsoft Azure, preferably within a VNA-owned Azure tenant, using Azure-hosted application services, Azure Functions, Azure SQL-managed data services, managed storage, and Microsoft identity services. 3Wrkz confirms that this deployment model is fully compatible with VNA's Azure cloud infrastructure expectations and can be implemented within VNA-controlled subscriptions and resource groups or, if VNA prefers, within a 3Wrkz-managed Azure tenant using the same Azure-based architecture.
CS5 Requirement (from Qualification Gate tab)
Proposer maintains a documented incident response plan and will notify VNA of any security breach involving VNA data within 24 hours of discovery.
CS5 Position
In the Qualification Gate matrix, CS5 is marked as Complies (x). 3Wrkz confirms that it satisfies this requirement, including maintaining a documented incident response capability and providing notification to VNA within 24 hours of discovering any security breach involving VNA data.
CS5 Final Submission Guidance
The final submission explicitly states that 3Wrkz maintains a documented incident response plan and contractually commits to notifying VNA of any security breach involving VNA data within 24 hours of discovery.