tinyguard
← Security & Compliance
tinyguard
← Security & Compliance
TinyGuard is a HIPAA Business Associate. This agreement governs how we create, receive, maintain, and transmit Protected Health Information on behalf of your facility. Document version: 1.2 — May 2026.
Email del@tinyguard.co with your facility name and attorney contact. We return the executable BAA template within one business day. Founding Partners receive an executed BAA as part of their agreement package.
TinyGuard LLC ("Business Associate") provides a cloud-based platform for facility management — video monitoring, attendance, care event logging, family communication, billing, EVV, and related services (the "Services"). Your facility ("Covered Entity") is a HIPAA Covered Entity.
In providing these Services, TinyGuard may create, receive, maintain, or transmit Protected Health Information ("PHI") on your behalf. This Agreement establishes the terms under which TinyGuard handles PHI in compliance with HIPAA, HITECH, and their implementing regulations at 45 CFR Parts 160 and 164.
The following categories of PHI may be created, received, maintained, or transmitted by TinyGuard:
| Category | Examples |
|---|---|
| Health & care records | Medication logs, immunization records, allergy info, dietary restrictions, special needs documentation |
| Incident & injury reports | Accident reports, injury documentation, behavioral incident records |
| Care event logs | Meals, nap/sleep, diaper changes, daily care activities |
| Attendance records | Check-in/check-out times, guardian identity verification |
| Video recordings | On-premises camera footage; cloud recordings when enabled |
| Daily reports | AI-generated care summaries shared with families |
| Messaging content | Staff-to-family communications regarding an individual's care |
| EVV records | Electronic Visit Verification data for Medicaid-funded services |
TinyGuard uses and discloses PHI only as permitted by this Agreement, as necessary to perform the Services, or as Required by Law. TinyGuard may use PHI for its proper management and administration only if the use is Required by Law or appropriate confidentiality assurances are obtained. TinyGuard may de-identify PHI per 45 CFR 164.514 and use de-identified data for product improvement and aggregate analytics.
TinyGuard implements administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of ePHI per the HIPAA Security Rule (45 CFR Part 164, Subpart C), including:
TinyGuard ensures that any subcontractor creating, receiving, maintaining, or transmitting PHI on TinyGuard's behalf agrees to the same restrictions via written agreement per 45 CFR 164.502(e)(1)(ii) and 164.314(a)(2). The "BAA Status" column below is the operative representation; we will not transmit PHI to a subprocessor marked "In progress" without an executed BAA in place at the time of transmission.
| Subcontractor | Service | PHI Scope | BAA Status |
|---|---|---|---|
| Cloudflare, Inc. | Edge compute (Workers), R2 object storage, Cloudflare Tunnel, Cloudflare Calls SFU | All ePHI stored/processed on Cloudflare infrastructure. | In progress — Cloudflare BAA available on Enterprise plan; required before first HIPAA-regulated facility goes live. |
| Neon, Inc. | Serverless PostgreSQL — primary system of record | All platform data. Tenant isolation via Row-Level Security (PostgreSQL RLS, FORCE on every facility-scoped table). | In progress — required before first HIPAA-regulated facility goes live. |
| Stripe, Inc. | Subscription + tuition payment processing | Billing identifiers and payment methods only. No clinical PHI. | Available; PHI handling is limited to non-clinical billing identifiers. |
| Resend, Inc. | Transactional email | Email addresses + message content (daily reports, billing). | In progress — required before first HIPAA-regulated facility goes live. |
| Anthropic, PBC | Claude API — care summaries, daily reports, observation analysis | Care summaries, incident analyses, and other AI content may contain child or resident names and care events. Zero Data Retention available on commercial enterprise terms. | In progress — Anthropic offers BAA; required before any PHI traverses this provider in production. |
| OpenAI, L.L.C. | Secondary AI provider for the same care-summary, daily-report, and observation flows when configured by TinyGuard | Same PHI categories as Anthropic. Only one AI provider serves a given request. | In progress — OpenAI Healthcare BAA via direct sales engagement; required before any PHI traverses this provider in production. |
| Google LLC (Gemini API) | Tertiary AI provider for the same care-summary, daily-report, observation, and support-chat flows when configured by TinyGuard | Same PHI categories as Anthropic. Only one AI provider serves a given request. | In progress — Google Vertex AI BAA via Google Cloud Healthcare; the public Gemini API does not sign BAAs. TinyGuard will route PHI to Vertex AI only, never to the public Gemini API, once contracted. |
| Twilio, Inc. | SMS notifications | Phone numbers + limited message text (e.g., pickup alerts). | In progress — required before first HIPAA-regulated facility goes live. |
TinyGuard provides 30 days' notice of material changes to this subcontractor list.
No biometrics, ever — locked as a standalone covenant in MSA §3 and reaffirmed in this BAA. No subprocessor receives video frames for biometric derivation; none of the AI providers above process biometric data on TinyGuard's behalf. See the full No-Biometrics Covenant and the broader Legal Stack v1.0 covenants page for the architectural commitments paired with this BAA.
TinyGuard makes PHI available to Covered Entity to satisfy individuals' access rights (45 CFR 164.524), amendment rights (45 CFR 164.526), and accounting of disclosures (45 CFR 164.528). Facility administrators can export individual records through the platform at any time.
TinyGuard limits its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose per 45 CFR 164.502(b) and 164.514(d).
TinyGuard retains PHI for the duration of the Services agreement and, unless earlier destruction is requested, for a minimum of six (6) years from the date of creation or last effective date — consistent with 45 CFR 164.530(j). Video recordings follow the retention schedule you select within the platform (default: 30 days for cloud recordings; local recordings subject to device capacity).
By granting TinyGuard the right to use anonymized camera footage under the Services agreement, your facility warrants that it has obtained all required consents from families, guardians, and residents under applicable law (including COPPA for children under 13 and applicable elder care statutes) before granting those rights.
TinyGuard notifies Covered Entity of a confirmed Breach of Unsecured PHI within 60 calendar days of discovery per 45 CFR 164.410(b). We aim to provide initial notification within 30 days where feasible.
Notification includes: the nature of the Breach, types of PHI involved, identity of affected individuals (to the extent known), what TinyGuard is doing to investigate and mitigate, and contact information for our privacy contact: Gerald Delane Peck, del@tinyguard.co.
TinyGuard cooperates with Covered Entity in meeting HHS notification obligations under 45 CFR 164.404 and 164.408. Routine unsuccessful access attempts (port scans, failed logins) are not reportable Security Incidents; summary information is available on request.
This Agreement runs concurrent with the underlying Services agreement. Either Party may terminate for material breach uncured within 30 calendar days of written notice.
On termination, TinyGuard returns or destroys all PHI at Covered Entity's election, including PHI held by subcontractors, unless retention is Required by Law. TinyGuard provides a full data export (CSV/JSON) within 30 days of written request before destruction. Obligations under this section survive termination.
Send your facility name and attorney contact. We return the executable template within one business day.