Circadify

Security & Privacy Overview

How Circadify protects user data and maintains privacy.

Security and privacy are foundational to Circadify's architecture. This page provides an overview of our security model and privacy guarantees.

Security Model

Circadify employs a defense-in-depth approach with multiple security layers:

  • Local capture — The SDK accesses the camera and prepares the measurement on the user's device. Raw video frames never leave the device.
  • No health-data storage — Vital sign results are returned to the client and are not stored on our side by default. The measurement payload is processed and discarded; nothing health-related persists. The only artifact of a scan is a usage record used for billing and quota.
  • Encryption in transit — All API communication is encrypted with TLS. HSTS is enforced on every response.
  • Authentication — API keys are stored as one-way hashes. Developer passwords are hashed with bcrypt. Session tokens are cryptographically random and short-lived.
  • Quotas & abuse protection — Production API access is authenticated per key and bounded by per-developer monthly scan quotas; sandbox traffic is additionally rate-limited. API keys carry ~160 bits of entropy, making brute-force guessing infeasible, and every auth failure returns a generic response to prevent enumeration.
  • Input validation — All request inputs are validated with strict schemas to prevent injection and malformed data.
  • Audit logging — All significant actions (authentication, session creation, administrative changes) are logged to a dedicated audit store. Audit records contain no health data.
  • Security headers — Every API response includes Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy: default-src 'none', Referrer-Policy: strict-origin-when-cross-origin, and Cache-Control: no-store.

Privacy by Design

Note

Circadify is built with privacy as a first-class requirement, not an afterthought. Vital sign results are returned to the client and are not stored on our side by default; the measurement payload is processed and discarded.

The platform follows privacy-by-design principles:

  • Data minimization — The SDK transmits only the measurement payload needed for processing. Raw video, raw frames, and identifiable images are not uploaded.
  • Purpose limitation — Measurement payloads are used exclusively to compute vital signs for that single request. Developer account data is used only for authentication, billing, and usage tracking.
  • Storage limitation — Vital sign results are returned to your application and are not stored by Circadify by default. Measurement payloads are not retained. The only state persisted from a scan is a usage record.
  • User control — For data subject requests (access or deletion), contact support@circadify.com. Because no health data is stored on our side, there is typically no health data to retrieve or delete.

Certifications & Compliance

Circadify's current compliance posture:

  • HIPAA — Business Associate Agreement (BAA) available for enterprise customers. Required for telehealth and EHR integrations.
  • SOC 2 Type II — In progress.
  • ISO 27001 — In progress.
  • GDPR & CCPA — Platform controls support compliance with data protection regulations.

See Compliance for details.

Incident Response

Circadify maintains an incident response process for security events:

  • Monitoring — Infrastructure and application-level monitoring detects anomalous access patterns, authentication failures, and availability issues.
  • Classification — Security events are classified by severity and impact. Events involving potential unauthorized access to health data are treated as the highest priority.
  • Breach notification (HIPAA) — In the event of a breach involving protected health information, affected covered entities are notified within 60 days as required by the HIPAA Breach Notification Rule.
  • Breach notification (GDPR) — Data controllers are notified within 72 hours of becoming aware of a personal data breach, as required by GDPR Article 33.
  • Post-incident review — All security incidents are followed by a root cause analysis and remediation plan.
  • Contact — To report a security concern, email security@circadify.com.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@circadify.com. We follow a 90-day responsible disclosure policy.

  • Acknowledgment — We will acknowledge receipt of your report within 2 business days.
  • Assessment — Our security team will assess the severity and impact of the reported vulnerability.
  • Resolution — We aim to resolve confirmed vulnerabilities within 90 days of the initial report.
  • Scope — Reports should cover the Circadify API, SDK, developer console, and documentation site. Please do not perform denial-of-service testing or access other users' data.

Next Steps