Privacy, security, infrastructure readiness reviews are required for all products launching on


Platform Security


Request this touchpoint when your product is in staging and before you begin rollout, allowing enough time to implement feedback.


Asynchronous review. A synchronous 30-minute meeting may be requested.


To ensure your feature meets Platform's privacy and security standards.


VFS Lead Engineer or Product Manager submits a Privacy, security, infrastructure readiness review ticket in repository.


VFS participants:

  • Lead engineer (required)

  • Product manager (required)

  • OCTO-DE product lead (required)

  • Anyone else on your team whose presence is needed to speak to the technical architecture and security concerns (required)

Platform participants:

  • Platform Security team

  • OCTO-DE Platform Security Lead


VFS provides:

  • Link to product outline

  • Ensure Product Outline contains Incident Response info, including:

    • Points of contact for your system and dependent VA backends

    • Links to dashboards that help identify and debug application issues

  • Links to technical diagrams (checked into GitHub alongside your product documentation), including:

    • An architecture diagram, showing involved systems and how they connect.

    • For non-trivial flows (i.e. more than a single round-trip call from frontend → vets-api → VA Backend), a sequence diagram showing the ordered flow of data and operations between systems.

  • Describe any new publicly-exposed endpoints (vets-api or otherwise):

  • Describe any new interactions with dependent VA backends

  • Describe any other security hotspots you're concerned about / want extra attention on

  • Link to Release Plan with the "Planning" sections completed (in each section: Phase I, Phase II, Go Live)

  • Review the guidance on hosting a security review


Platform provides a list of concrete action items in a GitHub ticket that need to be addressed before you roll out your product.

When your team has completed action items, assign the ticket back to the Platform Security team and the OCTO-DE Platform Security Lead, who will confirm completion and close out the issue, signaling approval of the Privacy and Security review.

If no issues are raised during the Privacy, security, infrastructure readiness review, then Platform will approve your product for launch.