Raw clinical data does not leave payer control.
Zkeleton is designed around a single operating principle: the payer owns the infrastructure, the payer owns the data, and Zkeleton is a contractor inside the payer's environment. Every architectural choice follows from that.
The bubble runs in your VPC
Zkeleton provisions inside the payer's own virtual private cloud. All compute, storage, and network activity happens inside infrastructure the payer already owns and operates. There is no Zkeleton cloud holding clinical data.
No multi-tenant aggregation
Each payer gets an isolated bubble. No clinical data is ever aggregated across payers. There is no shared dataset, no cross-payer index, and no vendor-side copy of any payer's records.
Isolation from the core
The bubble has no write path into adjudication, MLR reporting, or audit trail systems. Zkeleton cannot affect a paid claim, a quality metric, or a regulatory submission. The core is structurally untouchable.
Controlled egress
Intelligence produced inside the bubble (signals, scores, model outputs, flagged cohorts) leaves through defined egress channels governed by the payer. Raw clinical data does not have an egress path.
HIPAA-native design
Minimum necessary, role-based access, BAA-governed relationship, and audit logging at every layer. Access to the bubble is subject to the payer's own identity and access controls.
Operational transparency
Payer teams see every job running inside their bubble. Code and configuration are reviewable. Nothing about how Zkeleton operates is opaque to the operator.
The payer does not trust Zkeleton with their clinical data. The payer runs Zkeleton on data that never left their control.