KinHealth
Back to home

Security posture

How we keep your family's records safe.

Health documents deserve better than a photo roll and a group chat. Here is what we have built — and what we are honest about still building — to keep yours out of the wrong hands.

Last updated · April 2026

1. Where the data lives

All customer data — account records, uploaded documents, derived extractions — is stored on infrastructure located within India, operated by a tier-1 cloud provider. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Backups are encrypted with separately-held keys and also remain in India.

2. How AI sees your documents

We use enterprise-tier large language model endpoints that are contractually bound to:

  • Not retain prompts or responses after processing.
  • Not use your data to train any future model.
  • Not log prompts to human-reviewable systems.

We never send raw documents to any endpoint that lacks those guarantees. Where structured extraction can be done locally — for example matching medication names against a curated database — we do it locally and never involve a model at all.

3. Access controls

  • Production systems require hardware-backed multi-factor authentication. No shared accounts.
  • Engineer access to customer data is gated behind named, time-limited, audit-logged sessions — used only to investigate a specific incident you have reported.
  • We do not routinely read your documents. When we look at an extraction for clinical review, we work from anonymised samples whenever possible.

4. Audit logging

Every access to customer data — whether by you, a family member on your account, or an engineer on incident duty — is logged. Logs are write-once, retained for a minimum of one year, and available to you on request.

5. Software supply chain

Third-party libraries are pinned to specific versions and reviewed on update. We run automated vulnerability scanning on every build and cut new releases when a critical advisory lands upstream.

6. Responsible disclosure

If you believe you have found a security issue, please email security@kinhealth.app. We will acknowledge within 48 hours and aim to triage within five business days. We will not pursue legal action against researchers who act in good faith: no denial-of-service, no accessing data that is not yours, no social engineering of our team or customers.

A formal bug bounty programme is on the roadmap for later this year.

7. What we are still working on

We believe in saying what we have built, not what we have promised. In-flight work includes:

  • Independent SOC 2 Type II audit — engagement begins Q3 2026.
  • ISO 27001 certification — targeting 2027.
  • Verified-consent SMS flow for family members who want to confirm their enrolment themselves.

8. Contact

Security issues: security@kinhealth.app. Privacy queries: privacy@kinhealth.app.