Circadify

Encryption

Encryption standards and protocols used by the Circadify platform.

All data handled by Circadify is encrypted in transit. Persistent stores are encrypted at rest.

Encryption in Transit

All communication with the Circadify API is encrypted using TLS.

  • Protocol: TLS 1.3 (TLS 1.2 supported for backward compatibility)
  • Cipher suites: Strong AEAD ciphers with forward secrecy
  • HSTS: Enforced on all responses with max-age=31536000; includeSubDomains; preload
  • Security headers: Every response includes X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy: default-src 'none'; frame-ancestors 'none', and Cache-Control: no-store, no-cache, must-revalidate, private

Encryption at Rest

All persistent data stores use encryption at rest:

  • Account database — AES-256 encryption at rest for developer accounts, API key hashes, audit logs, and usage records.
  • Object storage — Server-side encryption for the upload path. Measurement payloads are processed and discarded; nothing health-related persists.
  • Key management — Encryption keys are managed by a dedicated key-management service with automatic rotation.

Measurement Flow and Data Protection

The SDK prepares the measurement payload locally, then uploads it over TLS for processing. Raw video and raw camera frames never leave the device. Public docs intentionally do not describe the low-level payload format.

After processing, the payload is discarded and the vital sign results are returned to the client over TLS. Results are not stored on our side. The only persisted artifact of a scan is a usage record (one scan credit consumed) used for billing and quota.

Key & Secret Management

Circadify uses distinct cryptographic approaches for different types of secrets:

  • API keys — Generated using cryptographically secure random bytes and stored as one-way hashes. Only the key prefix is retained in plaintext for identification. The full key is shown once at creation and never stored.
  • Passwords — Developer account passwords are hashed with bcrypt before storage. Raw passwords are never logged or persisted.
  • Session tokens — Generated using a CSPRNG and stored as hashes with a short TTL.
  • Application secrets — Service credentials are stored in a managed secrets service with automatic rotation.

Next Steps