Compliance

Circadify is designed to help you meet your regulatory obligations. Below are the compliance standards we support and the controls we provide.

Standards & Certifications

Standard	Status
HIPAA	Available — BAA provided for enterprise customers
SOC 2 Type II	In progress
ISO 27001	In progress
GDPR	Platform controls support compliance
CCPA	Platform controls support compliance

Circadify provides the following controls to support GDPR compliance:

Data Processing Agreement (DPA) — Available on request. Contact sales@circadify.com.
Data subject requests — Access and deletion requests are handled via support@circadify.com. Session health data is ephemeral (15-minute TTL) and auto-deletes, so in most cases no persistent personal health data exists to retrieve or delete.
Data residency — Enterprise customers can request EU-based infrastructure to keep data within the European Economic Area. Default region is US East. See Data Residency.
Audit trail — All data access and modifications are logged with actor, action, timestamp, and outcome for accountability.
Minimal data collection — On-device processing ensures raw biometric data never leaves the user’s device. Only derived vital sign scores are transmitted.
Breach notification — Data controllers are notified within 72 hours of Circadify becoming aware of a personal data breach, as required by GDPR Article 33.

CCPA

For CCPA compliance, Circadify supports:

Consumer data requests — Access and deletion requests are handled via support@circadify.com.
Minimal data retention — Session health data auto-expires within 15 minutes. No persistent consumer health data is stored beyond the session lifecycle.
No data selling — Circadify does not sell consumer personal information to third parties.
Audit trail — All data access is logged for accountability and compliance verification.

HIPAA

HIPAA-eligible configurations are available on Enterprise plans with a signed Business Associate Agreement (BAA).

Circadify implements the following HIPAA-relevant controls:

Business Associate Agreement — BAA is provided for enterprise customers using Circadify in clinical or telehealth settings. Contact sales@circadify.com.
Access controls — API key authentication with one-way hashing, rate limiting, and account lockout after failed attempts.
Audit logging — All access to protected health information (PHI) is logged to a dedicated audit store partitioned by month, including actor identity, resource accessed, action taken, and outcome.
Encryption in transit — TLS 1.3 with HSTS enforcement and comprehensive security headers on all API responses.
Ephemeral session data — Session results (vital signs) are stored with a 15-minute TTL and auto-deleted. No persistent storage of PHI occurs in session data.
Telehealth integration — SMART on FHIR OAuth 2.0 integration with Epic, Cerner, and other EHR systems. OAuth state tokens provide CSRF protection. EHR access tokens are stored only in the ephemeral session (15-minute TTL).
Minimum necessary — On-device rPPG processing ensures only derived vital sign scores are transmitted, not raw biometric data.
Breach notification — Covered entities are notified within 60 days of discovering a breach involving PHI, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

Audit Reports

Compliance documentation and audit reports are available to enterprise customers on request. Contact your account manager or sales@circadify.com to discuss your compliance requirements.

Agreements & Legal

Formal agreements for enterprise integrations are available in the developer portal:

Business Associate Agreement (BAA) — Required for HIPAA-covered integrations. Available for enterprise customers.
Data Processing Agreement (DPA) — GDPR Article 28 compliant. Available on request.
Terms of Service and Privacy Policy — Available at circadify.com/terms and circadify.com/privacy.

Contact sales@circadify.com to discuss your compliance requirements.

Next Steps

Data Handling — Understand our data practices
Security Overview — Full security model