Security & Privacy Overview

Security and privacy are foundational to Circadify’s architecture. This page provides an overview of our security model and privacy guarantees.

Security Model

Circadify employs a defense-in-depth approach with multiple security layers:

• On-device extraction — The SDK accesses the camera, runs face detection, and extracts processed RGB data from skin regions on the user’s device. Raw video frames never leave the device. Only the preprocessed RGB tensor is transmitted to our inference engine.
• No health-data storage — Vital sign results are returned to the client and are not stored on our side. The uploaded RGB tensor is processed and discarded; nothing health-related persists. The only artifact of a scan is a usage record (one scan credit consumed) used for billing and quota.
• Encryption in transit — All API communication is encrypted with TLS. HSTS is enforced on every response.
• Authentication — API keys are stored as one-way hashes. Developer passwords are hashed with bcrypt. Session tokens are cryptographically random and short-lived.
• Rate limiting & lockout — Sliding-window rate limiting is enforced per developer. Repeated failed authentication attempts trigger temporary lockout.
• Input validation — All request inputs are validated with strict schemas to prevent injection and malformed data.
• Audit logging — All significant actions (authentication, session creation, administrative changes) are logged to a dedicated audit store. Audit records contain no health data.
• Security headers — Every API response includes Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy: default-src 'none', Referrer-Policy: strict-origin-when-cross-origin, and Cache-Control: no-store.

Privacy by Design

Note

Circadify is built with privacy as a first-class requirement, not an afterthought. Vital sign results are returned to the client and never stored on our side; the uploaded RGB tensor is processed and discarded.

The platform follows privacy-by-design principles:

• Data minimization — The SDK transmits only the preprocessed RGB tensor extracted from skin regions — never raw video, raw frames, or identifiable images. The uploaded tensor is discarded after processing.
• Purpose limitation — Tensor data is used exclusively to compute vital signs for that single request. Developer account data is used only for authentication, billing, and usage tracking.
• Storage limitation — Vital sign results are returned synchronously in the API response and are not stored. RGB tensor uploads are not stored. The only state persisted from a scan is a usage record (one scan credit consumed).
• User control — For data subject requests (access or deletion), contact support@circadify.com. Because no health data is stored on our side, there is typically no health data to retrieve or delete.

Certifications & Compliance

Circadify’s current compliance posture:

• HIPAA — Business Associate Agreement (BAA) available for enterprise customers. Required for telehealth and EHR integrations.
• SOC 2 Type II — In progress.
• ISO 27001 — In progress.
• GDPR & CCPA — Platform controls support compliance with data protection regulations.

See Compliance for details.

Incident Response

Circadify maintains an incident response process for security events:

• Monitoring — Infrastructure and application-level monitoring detects anomalous access patterns, authentication failures, and availability issues.
• Classification — Security events are classified by severity and impact. Events involving potential unauthorized access to health data are treated as the highest priority.
• Breach notification (HIPAA) — In the event of a breach involving protected health information, affected covered entities are notified within 60 days as required by the HIPAA Breach Notification Rule.
• Breach notification (GDPR) — Data controllers are notified within 72 hours of becoming aware of a personal data breach, as required by GDPR Article 33.
• Post-incident review — All security incidents are followed by a root cause analysis and remediation plan.
• Contact — To report a security concern, email security@circadify.com.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@circadify.com. We follow a 90-day responsible disclosure policy.

• Acknowledgment — We will acknowledge receipt of your report within 2 business days.
• Assessment — Our security team will assess the severity and impact of the reported vulnerability.
• Resolution — We aim to resolve confirmed vulnerabilities within 90 days of the initial report.
• Scope — Reports should cover the Circadify API, SDK, developer console, and documentation site. Please do not perform denial-of-service testing or access other users’ data.

Next Steps

• Data Minimization — Our approach to minimal data collection
• Encryption — Encryption standards and implementation
• Compliance — Regulatory compliance details