Compliance

Circadify is designed to help you meet your regulatory obligations. Below are the compliance standards we support and the controls we provide.

Standards & Certifications

Standard	Status
HIPAA	Available — BAA provided for enterprise customers
SOC 2 Type II	In progress
ISO 27001	In progress
GDPR	Platform controls support compliance
CCPA	Platform controls support compliance

Circadify provides the following controls to support GDPR compliance:

Data Processing Agreement (DPA) — Available on request. Contact sales@circadify.com.
Data subject requests — Access and deletion requests are handled via support@circadify.com. Because vital sign results and uploaded tensors are not stored on our side, there is typically no health data to retrieve or delete.
Data residency — Enterprise customers can request EEA-resident infrastructure to keep processing within the European Economic Area. See Data Residency.
Audit trail — All data access and account-administration events are logged with actor, action, timestamp, and outcome for accountability.
Minimal data collection — On-device extraction ensures raw video and frames never leave the user’s device. Only the preprocessed RGB tensor is transmitted, and it is discarded after inference.
Breach notification — Data controllers are notified within 72 hours of Circadify becoming aware of a personal data breach, as required by GDPR Article 33.

CCPA

For CCPA compliance, Circadify supports:

Consumer data requests — Access and deletion requests are handled via support@circadify.com.
No retention of consumer health data — Vital sign results are returned to the client and not stored on our side. Uploaded tensors are discarded after processing.
No data selling — Circadify does not sell consumer personal information to third parties.
Audit trail — Account-administration events are logged for accountability and compliance verification.

HIPAA

HIPAA-eligible configurations are available for enterprise customers with a signed Business Associate Agreement (BAA).

Circadify implements the following HIPAA-relevant controls:

Business Associate Agreement — BAA is provided for enterprise customers using Circadify in clinical or telehealth settings. Contact sales@circadify.com.
Access controls — API key authentication with one-way hashing, rate limiting, and account lockout after failed attempts.
Audit logging — All access events are logged to a dedicated audit store, including actor identity, resource accessed, action taken, and outcome. Audit records contain no health data.
Encryption in transit — TLS with HSTS enforcement and comprehensive security headers on all API responses.
No retention of PHI — Vital sign results are returned synchronously in the API response and are not stored on our side. Uploaded RGB tensors are processed and discarded.
Telehealth integration — SMART on FHIR OAuth integration with major EHR systems. OAuth state tokens provide CSRF protection. EHR access tokens are held only for the duration of the request.
Minimum necessary — On-device extraction ensures only the preprocessed RGB tensor is transmitted, never raw video or images.
Breach notification — Covered entities are notified within 60 days of discovering a breach involving PHI, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

Audit Reports

Compliance documentation and audit reports are available to enterprise customers on request. Contact your account manager or sales@circadify.com to discuss your compliance requirements.

Agreements & Legal

Formal agreements for enterprise integrations are available in the developer portal:

Business Associate Agreement (BAA) — Required for HIPAA-covered integrations. Available for enterprise customers.
Data Processing Agreement (DPA) — GDPR Article 28 compliant. Available on request.
Terms of Service and Privacy Policy — Available at circadify.com/terms and circadify.com/privacy.

Contact sales@circadify.com to discuss your compliance requirements.

Next Steps

Data Handling — Understand our data practices
Security Overview — Full security model