Cinnabar.(working name)

Security & Trust

Data-handling guarantees

What we guarantee

No hand-waving. These are the commitments we can put in writing, because they're backed by architecture and signed vendor agreements — not policy documents.

Data flow
On-site & offline Identifiable data · re-identification key
de-identification enforced
AWS environment · signed BAA De-identified data only · no training · not shared with model provider
  1. Identifiable data never leaves the clinic — we process on-site, offline.

  2. Any cloud AI processing runs only on de-identified data, in an AWS environment under a signed BAA, where AWS contractually does not train on customer data and never shares it with the model provider.

  3. De-identification is enforced before processing; the re-identification key stays with the clinic.

Architecture, not policy

A policy is a promise about what we won't do. Architecture is a fact about what can't happen. Each guarantee above holds because of how the system is built, so it does not depend on us behaving well.

Identifiable data is processed on-site, offline

Anything that could identify a person is handled inside your building, on hardware you control, with no dependency on an outbound connection. The network is not part of the trust boundary because identifiable data never crosses it.

Only de-identified data can reach the cloud

De-identification runs before any cloud step — it is a gate, not a preference. Data that still carries identifiers is structurally unable to leave. What travels to the cloud has already been stripped.

The cloud path is an AWS environment under a signed BAA

Cloud AI processing runs in an AWS environment governed by a signed Business Associate Agreement. Under that agreement AWS contractually does not train on customer data and never shares it with the model provider. These are contractual commitments, not settings we toggle.

The re-identification key never leaves the client

The mapping needed to re-associate results with a person stays with you. Because we never hold it, re-identification is not something we are in a position to do — by design, not by promise.

Straight answers

We would rather say something true and narrow than something impressive and vague.

Are you HIPAA certified?

There is no such thing as HIPAA certification — HIPAA has no official certifying body, and any vendor claiming to be "HIPAA certified" is overstating what exists. What is real: we operate under a signed AWS Business Associate Agreement for the cloud path, and identifiable data is processed on-site and offline so it never enters that path in the first place.

Do you have SOC 2 or ISO 27001?

We are not making those claims on this page, and we would rather under-promise. Our guarantees rest on architecture and signed vendor agreements you can read, not on a badge. If a formal audit becomes relevant to working together, we will talk about it plainly rather than imply a certification we do not hold.

Does the model provider ever see customer data?

No. Cloud processing happens inside an AWS environment under a signed BAA in which AWS contractually does not train on customer data and never shares it with the model provider. And only de-identified data ever reaches that environment.

What if your cloud connection is down?

Identifiable data is processed on-site and offline, so the parts that touch a person do not depend on the network being up. The cloud path handles de-identified data only.

Could you re-identify data if you were compelled to?

We do not hold the re-identification key — it stays with the client. We cannot produce a mapping we were never given. This is a property of where the key lives, not a policy we could quietly change.

Identifiable data never leaves your building — that's the product, not a feature we added. If you want to walk through the details, we will show you exactly where each boundary sits.