Compliance & Trust Center
HIPAA
Administrative, physical & technical safeguards for PHI. BAA available for covered entities.
โ CompliantGDPR
Full compliance for EU/EEA users. DPA and SCCs available for data controller customers.
โ CompliantCCPA / CPRA
California consumer rights: know, delete, correct, limit. No sale of personal information.
โ CompliantBIPA (Illinois)
Written policy, consent, non-sale, and destruction schedule for biometric identifiers (voice prints).
โ CompliantSOC 2 Type II
Security, availability, and confidentiality controls. Report available under NDA.
In ProgressWCAG 2.1 AA
Accessibility standards for senior users. Ongoing accessibility audits and remediation.
OngoingHIPAA Compliance
KinBridge supports HIPAA-covered entities (hospices, skilled nursing facilities, employer health plans) with a complete suite of technical, administrative, and physical safeguards.
Technical Safeguards
- Access controls with unique user identification and automatic logoff
- Audit logs for all PHI access, modification, and transmission
- Encryption of PHI at rest (AES-256) and in transit (TLS 1.3)
- Automatic session timeout after inactivity
- Emergency access procedure ("break glass" for authorized emergencies)
Administrative Safeguards
- Designated Security Officer responsible for HIPAA compliance
- Workforce training on PHI handling
- Risk analysis and risk management program
- Contingency plan for data backup and disaster recovery
- Incident response procedures with 60-day breach notification
Physical Safeguards
- Hosted on Render infrastructure with physical security controls (SOC 2 certified data centers)
- Workstation access controls for employees with PHI access
- Device encryption and remote wipe capabilities
Need a Business Associate Agreement (BAA)?
Required for all HIPAA-covered entities using KinBridge to store or process PHI. We execute BAAs within 2 business days.
Request BAA โEnterprise Legal Documents
| Document | Purpose | Availability |
|---|---|---|
| Business Associate Agreement (BAA) | HIPAA compliance for covered entities processing PHI | On request โ email enterprise |
| Data Processing Agreement (DPA) | GDPR compliance for EU/EEA data controllers; includes Standard Contractual Clauses | On request โ email enterprise |
| Master Service Agreement (MSA) | Commercial terms, SLA, and enterprise-specific obligations | Included with Enterprise plan contracts |
| Sub-Processor List | Complete list of third-party processors handling customer data | Published at Privacy Policy โ Sub-processors |
| Penetration Test Summary | Annual third-party security assessment results | Available under NDA โ request from security |
| SOC 2 Type II Report | Independent audit of security controls | In progress โ available under NDA upon completion |
User & Patient Data Rights
KinBridge supports the following data subject rights required by HIPAA, GDPR, and CCPA:
| Right | How to Exercise | Response Time |
|---|---|---|
| Access / Right to Know | Settings โ Privacy, or email | 30 days (GDPR) / 45 days (CCPA) |
| Correction / Rectification | Settings โ Profile, or email | 30 days |
| Deletion / Erasure | Settings โ Account โ Delete, or email | 30 days (data), 90 days (backups) |
| Data Portability | Email privacy | 30 days |
| Restrict Processing | Email privacy | 72 hours for acknowledgment |
| Biometric Destruction (BIPA) | Email privacy | 72 hours |
| HIPAA Right of Access | Enterprise admin dashboard or email | 30 days |
Incident Response & Breach Notification
KinBridge maintains a documented incident response plan. In the event of a security incident involving personal data:
- Internal detection goal: Contain and assess within 24 hours
- GDPR notification: Supervisory authority notified within 72 hours of discovering a reportable breach
- HIPAA notification: Covered entities notified within 60 days per HIPAA Breach Notification Rule
- User notification: Affected users notified promptly after assessment is complete
- Enterprise notification: Customer Security Officers notified within 48 hours of confirmed incidents
To report a security concern: security@kinbridge.app. See our Security page for responsible disclosure.
AI & Algorithmic Transparency
KinBridge is an AI-powered platform. Our AI compliance commitments:
- No automated decisions with legal or significant effects are made without human review
- AI companion outputs are clearly labeled as AI-generated
- Health insights are informational only and do not constitute clinical decisions
- We do not use user health data or biometrics to train AI models without explicit separate consent
- AI models used are from Anthropic (Claude) โ subject to Anthropic's privacy policy and data handling commitments
Contact Compliance Team
Enterprise compliance: enterprise@kinbridge.app
Privacy / DPO: dpo@kinbridge.app
Security incidents: security@kinbridge.app
BAA / DPA requests: enterprise@kinbridge.app