Security & Privacy Overview

Security and privacy are foundational to Circadify’s architecture. This page provides an overview of our security model and privacy guarantees.

Security Model

Circadify employs a defense-in-depth approach with multiple security layers:

• On-device processing — The SDK performs rPPG (remote photoplethysmography) analysis entirely on the user’s device. Raw biometric data (camera frames, video) never leaves the client. Only derived vital sign scores are transmitted to the API.
• Encryption in transit — All API communication is encrypted with TLS 1.3 (TLS 1.2 supported for backward compatibility). HSTS is enforced with a 1-year max-age including subdomains and preload.
• Authentication — API keys are stored as one-way hashes. Developer passwords are hashed with bcrypt. Session tokens are cryptographically random with a 24-hour TTL.
• Rate limiting & lockout — Sliding window rate limiting is enforced per developer. After 10 failed authentication attempts, the key is temporarily locked out for 15 minutes.
• Input validation — All request inputs are validated using strict schemas to prevent injection and malformed data.
• Audit logging — All significant actions (authentication, session creation, data access, administrative changes) are logged to a dedicated audit store with actor, resource, outcome, IP address, and user agent.
• Security headers — Every API response includes Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy: default-src 'none', Referrer-Policy: strict-origin-when-cross-origin, and Cache-Control: no-store.

Privacy by Design

Note

Circadify is built with privacy as a first-class requirement, not an afterthought. By default, vital sign results are returned directly to the client and never stored on our servers. Session metadata is transient and cleaned up immediately after results are delivered.

The platform follows privacy-by-design principles:

• Data minimization — The SDK runs rPPG analysis on-device and transmits only derived vital sign scores (heart rate, respiratory rate, HRV, SpO2, blood pressure) and confidence metrics. Raw camera frames and video are never sent to any server.
• Purpose limitation — Session data is used exclusively for vital sign analysis and result delivery. Developer account data is used only for authentication, billing, and usage tracking.
• Storage limitation — By default, vital sign results are returned directly in the API response and are not stored server-side. When persist mode is enabled (PERSIST_VITALS=true) for async workflows, results are cached with a configurable TTL (default 15 minutes) and automatically deleted after expiry. No long-term storage of session health data occurs in either mode.
• User control — For data subject requests (access or deletion), contact support@circadify.com. In default mode, no health data is persisted to delete. In persist mode, session data auto-expires per the configured TTL.

Certifications & Compliance

Circadify’s current compliance posture:

• HIPAA — Business Associate Agreement (BAA) available for enterprise customers. Required for telehealth and EHR integrations.
• SOC 2 Type II — In progress.
• ISO 27001 — In progress.
• GDPR & CCPA — Platform controls support compliance with data protection regulations.

See Compliance for details.

Incident Response

Circadify maintains an incident response process for security events:

• Monitoring — Infrastructure and application-level monitoring detects anomalous access patterns, authentication failures, and availability issues.
• Classification — Security events are classified by severity and impact. Events involving potential unauthorized access to health data are treated as the highest priority.
• Breach notification (HIPAA) — In the event of a breach involving protected health information, affected covered entities are notified within 60 days as required by the HIPAA Breach Notification Rule.
• Breach notification (GDPR) — Data controllers are notified within 72 hours of becoming aware of a personal data breach, as required by GDPR Article 33.
• Post-incident review — All security incidents are followed by a root cause analysis and remediation plan.
• Contact — To report a security concern, email security@circadify.com.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@circadify.com. We follow a 90-day responsible disclosure policy.

• Acknowledgment — We will acknowledge receipt of your report within 2 business days.
• Assessment — Our security team will assess the severity and impact of the reported vulnerability.
• Resolution — We aim to resolve confirmed vulnerabilities within 90 days of the initial report.
• Scope — Reports should cover the Circadify API, SDK, developer console, and documentation site. Please do not perform denial-of-service testing or access other users’ data.

Next Steps

• Data Minimization — Our approach to minimal data collection
• Encryption — Encryption standards and implementation
• Compliance — Regulatory compliance details