Privacy is the architecture
This is a health data product. Privacy isn't a feature we added — it's the foundation everything is built on. Employee data is protected by design, not by policy.
Physically separated data
Employee PHI (Protected Health Information) and HR analytics live in separate database schemas with no foreign key relationships. They physically cannot be joined — by anyone, including us.
One-way anonymisation
Individual symptom data flows into a one-way anonymisation pipeline. Only cohort aggregates with a minimum of 25 employees flow out as health trend insights. Adoption, engagement, and training metrics are non-PHI and available without thresholds.
User-controlled sharing
Health Reports require biometric re-authentication (fingerprint or face). Only the employee can generate, view, or share their personal health data. No manager or HR can access it.
Zero manager visibility
Managers receive training and tools to be supportive but have absolutely zero access to any individual employee symptom data. The system enforces this at every level.
HIPAA compliant from day one
Business Associate Agreement with Azure, AES-256 encryption at rest, TLS 1.2+ in transit, immutable audit logs, and 7-year data retention. We don't grow into compliance — we start there.
SOC 2 Type II
Audit initiated at launch. Our infrastructure, access controls, and data handling procedures are designed to meet SOC 2 requirements from the beginning.
How data flows
HR sees two categories of data. Adoption, engagement, and training metrics are available immediately — they contain no health information. Symptom and health trend data flows through a one-way anonymisation pipeline with an industry-standard n≥25 threshold before reaching the dashboard.