Sample Report

This is what lands in your data room.

20 to 40 pages. Article-cited findings. Written analysis of every AI tool identified. Deal protection language specific to the risks found. Not a framework checklist. A written instrument.

Request Full Sample →
Preview

A page from the report.

Counsel-ready language, structured for VDR review. The full report includes 20 to 40 pages of regulatory mapping, remediation costs, vendor contract analysis, and SPA language.

IRON Report · Confidential
Draft Preview
Cohere Health, Inc. · Series C · HealthTech · Prior Authorization AI
AI Regulatory Exposure Report
Prepared by Velxa IRON · May 2026
Section 1 · Executive Brief

IRON identified 4 material AI regulatory findings across the BAA chain, EU AI Act Annex III, HIPAA processor obligations, and contract change-of-control. Estimated pre-close liability ranges from $14.2M to $47M. Three findings require closing conditions or purchase agreement reps. Section 3 contains the recommended SPA language.

Risk Tier
CRITICAL
91 / 100
Exposure
$14M – $47M
Pre-close
Findings
4
3 HIGH · 1 MED
Section 2 · Top Findings
OpenAI API · unverified BAA chain · Article 28. Four engineering job postings reference the integration; not listed as a sub-processor in privacy policy v4.1.
EU AI Act Article 28 / HIPAA §164.502(e)(1)
Annex III clinical AI · no conformity assessment on file. Prior authorization decisioning meets the high-risk definition; Article 43 assessment is required before continued EU market activity.
EU AI Act Article 6 / Annex III §5(a) / Article 43
PHI routing through unconfirmed processor chain. GitHub repo and dependency manifest reference patient-data preprocessing through three vendors absent from the BAA roster.
HIPAA §164.502 / §164.514
AWS Bedrock · change-of-control clause at close. Bedrock master agreement assigns automatic termination on change of beneficial ownership; clinical inference pipeline depends on it.
HIPAA BAA / GDPR Article 28 / Contract Schedule 6.14
Section 3 · Regulatory Mapping (excerpt)
Finding #1 · HIPAA §164.502
PHI routing without confirmed BAA chain

Evidence: Job posting "ML Engineer (Clinical AI), experience with PHI routing through Bedrock required" + public GitHub repo confirming langchain + openai SDK in production inference path. Privacy policy enumerates three sub-processors not listed in BAA documentation provided in the data room.

Regulatory impact: HIPAA §164.502(e)(1) requires a Business Associate Agreement with every entity that creates, receives, maintains, or transmits PHI on the covered entity's behalf. Sub-processors that touch PHI through the AI pipeline are Business Associates. Absent BAAs trigger §164.514 enforcement risk and exclude indemnification under §164.530(e).

Estimated exposure: $4.2M – $18M (regulatory fines at HHS-OCR median plus remediation cost to backfill BAA chain across three sub-processors).

Section 4 · SPA Language (excerpt)
Recommended Closing Condition · §6.14(a)
Seller shall, prior to Closing, deliver to Buyer fully executed Business Associate Agreements (in form and substance reasonably acceptable to Buyer's counsel) covering each Sub-Processor identified on Schedule 6.14, together with a written certification of each Sub-Processor's compliance with 45 C.F.R. §164.502(e)(1) and §164.514. Failure to deliver any such BAA prior to Closing shall constitute a failure of a Closing condition under Section 7.02(d).
Report Contents

What every IRON report includes.

Page counts vary by tier. Snapshot delivers 20 pages. Full Diligence is 40+.

Executive Brief1 page
Risk tier, exposure estimate, top 3 findings, recommended deal action. The page your IC reads.
AI Stack Inventory3–5 pages
Every AI tool identified, evidence source, confidence level (confirmed vs inferred), risk classification per regulatory framework.
Regulatory Exposure Map5–8 pages
Finding by finding: regulation cited (article and section), evidence, risk tier, remediation requirement, SPA language template.
Vendor Contract Risk2–3 pages
Change-of-control clauses identified, BAA/DPA gaps in the sub-processor chain, renegotiation requirements with priority order.
Post-Close Assessment3–4 pages · Full Diligence and above
Stack collision analysis with the acquirer's existing AI footprint, integration conflicts, cost synergy estimate, post-close compliance roadmap.
SPA Language2–3 pages
Reps, warranties, covenants, and indemnification provisions written to specific findings. Plug into purchase agreement red-line directly.

Order a report.

Fixed price. 48 hours. Counsel-ready. Drops into your VDR.

Order → Request a full sample →
© 2026 Velxa LLC  ·  Signal intelligence only · Not legal advicevelxa.ai  ·  Signal intelligence only · Not legal advice Book a consultation →
/* Universal nav: active link + mobile burger */ (function initVelxaNavExtras(){ var active = document.body.getAttribute('data-active-nav'); if (active) { var link = document.querySelector('.velxa-nav .nav-links [data-nav="'+active+'"]'); if (link) link.classList.add('active'); } var burger = document.getElementById('navBurger'), panel = document.getElementById('velxaMnp'), close = document.getElementById('velxaMnpClose'); if (!burger || !panel) return; var openIt = function(){ panel.classList.add('is-open'); panel.setAttribute('aria-hidden','false'); burger.setAttribute('aria-expanded','true'); }; var closeIt = function(){ panel.classList.remove('is-open'); panel.setAttribute('aria-hidden','true'); burger.setAttribute('aria-expanded','false'); }; burger.addEventListener('click', openIt); if (close) close.addEventListener('click', closeIt); panel.addEventListener('click', function(e){ if (e.target===panel) closeIt(); }); document.addEventListener('keydown', function(e){ if (e.key==='Escape') closeIt(); }); panel.querySelectorAll('a').forEach(function(a){ a.addEventListener('click', closeIt); }); })(); /* ═════════════ VX Animation init — Batch 2 ═════════════ */ (function vxAnimInit(){ // Tag link-trace target on body so the underline-trace CSS applies on subpages document.body.classList.add('vx-link-trace'); // Auto-attach .vx-reveal to sections that benefit from scroll reveal. // Skip elements that already have .reveal (pre-existing GSAP-driven reveals on homepage). var revealSelectors = [ '.hero-a', '.hero-ss', '.hero-h', '.hero-s', '.problem-grid', '.market-stats', '.pull', '.iron-card', '.cta-section', '.iw-head', '.iw-selector', '.iw-terminal', '.frame-cards', '.ssi-grid', '.pricing-grid', '.steps-grid', '.reg-wall', '.not-list', '.opts', '.ab-block', '.report-frame', '.includes-list', '.placeholder', '.faq-list', '.sample-cta-band', '.pricing-bookcall', '.sell-teaser-section', '.amf-line' ]; revealSelectors.forEach(function(sel){ document.querySelectorAll(sel).forEach(function(el){ if (el.classList.contains('reveal')) return; el.classList.add('vx-reveal'); }); }); // Stagger children of grouped containers var staggerGroups = [ { wrap: '.steps-grid', child: '.step-card' }, { wrap: '.ssi-grid', child: '.ssi-card' }, { wrap: '.pricing-grid', child: '.pr-card' }, { wrap: '.frame-cards', child: '.frame-card' }, { wrap: '.reg-wall', child: '.rb' }, { wrap: '.includes-list', child: '.inc-row' }, { wrap: '.market-stats', child: '.ms' }, { wrap: '.not-list', child: '.not-item' }, { wrap: '.opts', child: '.opt-card' }, { wrap: '.iw-head + .iw-selector + .iw-terminal', child: '*' } // not used; placeholder ]; staggerGroups.forEach(function(g){ document.querySelectorAll(g.wrap).forEach(function(wrap){ wrap.querySelectorAll(g.child).forEach(function(c, i){ if (c.classList.contains('reveal')) return; c.classList.add('vx-reveal'); c.setAttribute('data-vx-stagger', String(Math.min(i, 6))); }); }); }); // Problem grid: left/right slide document.querySelectorAll('.problem-grid').forEach(function(grid){ var children = grid.children; if (children[0]) { children[0].classList.add('vx-reveal','vx-left'); } if (children[1]) { children[1].classList.add('vx-reveal','vx-right'); children[1].setAttribute('data-vx-stagger','2'); } }); // IntersectionObserver if (!('IntersectionObserver' in window)) { document.querySelectorAll('.vx-reveal').forEach(function(el){ el.classList.add('is-in'); }); return; } var io = new IntersectionObserver(function(entries){ entries.forEach(function(en){ if (en.isIntersecting) { en.target.classList.add('is-in'); io.unobserve(en.target); } }); }, { threshold: 0.15, rootMargin: '0px 0px -8% 0px' }); document.querySelectorAll('.vx-reveal').forEach(function(el){ io.observe(el); }); // Market stats count-up (about page) — drives .ms-num elements with data-vx-count // Auto-populate counts from the existing text: parse leading number when present. document.querySelectorAll('.market-stats .ms .ms-num').forEach(function(el){ if (el.hasAttribute('data-vx-count')) return; var raw = el.textContent.trim(); // Find the first integer at the start (e.g., "15", "78", "1") var match = raw.match(/^(\d+)/); if (!match) return; var target = parseInt(match[1], 10); el.setAttribute('data-vx-count', String(target)); el.setAttribute('data-vx-raw', el.innerHTML); el.innerHTML = el.innerHTML.replace(/^(\d+)/, '0'); }); var countObserver = new IntersectionObserver(function(entries){ entries.forEach(function(en){ if (!en.isIntersecting) return; var el = en.target; var target = parseInt(el.getAttribute('data-vx-count') || '0', 10); var raw = el.getAttribute('data-vx-raw') || el.innerHTML; if (!target) { countObserver.unobserve(el); return; } var start = 0, duration = 1100, t0 = performance.now(); function frame(now){ var p = Math.min(1, (now - t0) / duration); var v = Math.floor(start + (target - start) * (1 - Math.pow(1 - p, 3))); el.innerHTML = raw.replace(/^(\d+)/, String(v)); if (p < 1) requestAnimationFrame(frame); } requestAnimationFrame(frame); countObserver.unobserve(el); }); }, { threshold: 0.5 }); document.querySelectorAll('.market-stats .ms .ms-num[data-vx-count]').forEach(function(el){ countObserver.observe(el); }); // Sell-side framing cards (.fc-num) count-up document.querySelectorAll('.frame-card .fc-num').forEach(function(el){ if (el.hasAttribute('data-vx-count')) return; var match = el.textContent.match(/^(\d+)/); if (!match) return; var target = parseInt(match[1], 10); el.setAttribute('data-vx-count', String(target)); el.setAttribute('data-vx-raw', el.innerHTML); el.innerHTML = el.innerHTML.replace(/^(\d+)/, '0'); countObserver.observe(el); }); })();