Trust & Compliance

1. On-Device & Minimal-Footprint Processing

Circadify captures video from your device's camera and processes it on the device to extract vital sign signals. Facial video frames and images are never stored — they are processed in real time and immediately discarded once signal extraction is complete. The raw video stream never leaves the device.

Only anonymized pixel data — numerical arrays of color values from the facial region of interest, with no visual or identifying content — is transmitted to our inference model for the final vital sign calculation. This minimal footprint is intentional: the less sensitive data that ever moves, the smaller the surface that needs protecting.

2. Encryption

Data is protected both while it moves and while it is being processed:

• In transit: all data transmitted between your device and our servers is encrypted using industry-standard TLS protocols.
• In memory, not persisted: the anonymized pixel data is processed in memory, never written to persistent storage, and discarded immediately after the inference result is returned.

3. What We Do — and Do Not — Store

Understanding what we never collect is essential to understanding our approach. We do not store:

• Facial video, images, or frames of your face or body
• Patient names or any personally identifiable information (PII)
• Medical record numbers, dates of birth, or government identifiers
• Individual scan results or per-user health histories

The only data that reaches our servers is:

• Anonymized pixel arrays for inference: transient numerical color values used solely to calculate vitals, processed in real time and not stored after the inference completes.
• Organization-level usage metrics: aggregate scan counts and timestamps logged per organization for billing and service optimization — never tied to an individual user or patient.

4. HIPAA Compliance & Business Associate Agreements

While Circadify's architecture minimizes the collection and processing of Protected Health Information (PHI), we maintain HIPAA-compliant practices for our healthcare organization customers. Our infrastructure and processes are designed to meet the technical, administrative, and physical safeguard standards expected of a HIPAA business associate.

We will enter into Business Associate Agreements (BAAs) with covered entities and their partners as required. If your organization needs a BAA in place before integrating, contact us at [email protected].

5. Infrastructure Security & Access Controls

We apply layered technical and organizational safeguards across our platform:

• Secure cloud infrastructure with network and application access controls
• Least-privilege access — employees can reach only what their role requires
• Employee access restrictions and ongoing security training
• Regular security assessments and timely updates
• TLS encryption for all data in transit, with no persistent storage of sensitive signals

6. Compliance Roadmap & Certifications

We hold ourselves to a rising bar and are continuously formalizing our controls. A SOC 2 program is underway, with our security controls being documented and prepared for independent examination. We will share attestation details here as that work progresses.

On the clinical side, our models are benchmarked against gold-standard medical devices and engineered to hold accuracy across skin tones, lighting, and cameras. Circadify supports monitoring and screening use cases and is not intended for diagnosis.

7. Incident Response & Responsible Disclosure

We maintain processes to detect, investigate, and respond to security events, and to notify affected customers in line with our contractual and regulatory obligations.

If you believe you have found a security vulnerability or have a security concern, we want to hear from you. Please reach out to [email protected] or [email protected] and we will work with you to verify and address the issue. We ask that you give us a reasonable opportunity to remediate before any public disclosure.

8. Sub-Processors & Third-Party Services

Our website uses Google Tag Manager and Google Analytics to collect anonymous, aggregate usage statistics such as page views and general region. No personally identifiable information is collected through these tools, and we do not use them to identify or profile individual visitors.

Circadify may also integrate with third-party EHR systems and telehealth platforms at the direction of our healthcare organization customers. Any data sharing with those systems is governed by the agreements between the customer and the third-party provider. Circadify does not independently share user data with third parties for marketing or other purposes.