Compliance
Regulatory compliance standards met by the Circadify platform.
Circadify is designed to help you meet your regulatory obligations. Below are the compliance standards we support and the controls we provide.
Standards & Certifications
| Standard | Status |
|---|---|
| HIPAA | Available — BAA provided for enterprise customers |
| SOC 2 Type II | In progress |
| ISO 27001 | In progress |
| GDPR | Platform controls support compliance |
| CCPA | Platform controls support compliance |
GDPR
Circadify provides the following controls to support GDPR compliance:
- Data Processing Agreement (DPA) — Available on request. Contact sales@circadify.com.
- Data subject requests — Access and deletion requests are handled via support@circadify.com. Because vital sign results and measurement payloads are not stored on our side, there is typically no health data to retrieve or delete.
- Data residency — Enterprise customers can request EEA-resident infrastructure to keep processing within the European Economic Area. See Data Residency.
- Audit trail — All data access and account-administration events are logged with actor, action, timestamp, and outcome for accountability.
- Minimal data collection — SDK-managed measurement preparation ensures raw video and frames never leave the user's device. Only the SDK-prepared measurement payload is transmitted, and it is discarded after processing.
- Breach notification — Data controllers are notified within 72 hours of Circadify becoming aware of a personal data breach, as required by GDPR Article 33.
CCPA
For CCPA compliance, Circadify supports:
- Consumer data requests — Access and deletion requests are handled via support@circadify.com.
- No retention of consumer health data — Vital sign results are returned to the client and not stored on our side. Measurement payloads are discarded after processing.
- No data selling — Circadify does not sell consumer personal information to third parties.
- Audit trail — Account-administration events are logged for accountability and compliance verification.
HIPAA
HIPAA-eligible configurations are available for enterprise customers with a signed Business Associate Agreement (BAA).
Circadify implements the following HIPAA-relevant controls:
- Business Associate Agreement — BAA is provided for enterprise customers using Circadify in clinical or telehealth settings. Contact sales@circadify.com.
- Access controls — API key authentication with one-way hashing and per-developer scan quotas; high-entropy keys make brute-force guessing infeasible, and auth failures return generic responses to prevent enumeration.
- Audit logging — All access events are logged to a dedicated audit store, including actor identity, resource accessed, action taken, and outcome. Audit records contain no health data.
- Encryption in transit — TLS with HSTS enforcement and comprehensive security headers on all API responses.
- No retention of PHI — Vital sign results are returned synchronously in the API response and are not stored on our side. Measurement payloads are processed and discarded.
- Telehealth integration — SMART on FHIR OAuth integration with major EHR systems. OAuth state tokens provide CSRF protection. EHR access tokens are held only for the duration of the request.
- Minimum necessary — SDK-managed measurement preparation ensures only the measurement payload is transmitted, never raw video or images.
- Breach notification — Covered entities are notified within 60 days of discovering a breach involving PHI, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).
Audit Reports
Compliance documentation and audit reports are available to enterprise customers on request. Contact your account manager or sales@circadify.com to discuss your compliance requirements.
Agreements & Legal
Formal agreements for enterprise integrations are available in the developer portal:
- Business Associate Agreement (BAA) — Required for HIPAA-covered integrations. Available for enterprise customers.
- Data Processing Agreement (DPA) — GDPR Article 28 compliant. Available on request.
- Terms of Service and Privacy Policy — Available at circadify.com/terms and circadify.com/privacy.
Contact sales@circadify.com to discuss your compliance requirements.
Next Steps
- Data Handling — Understand our data practices
- Security Overview — Full security model