Security & Compliance
Built for HIPAA workflows from day one.
Honest answers on how we handle PHI, what we’ve actually shipped, what we haven’t, and where our subprocessors fit. No marketing-grade claims we can’t back up.
HIPAA
Aligned · BAA on request
Encryption, access controls, audit logs, 60-day breach window. All in the BAA.
SOC 2
Not certified yet
Type II is on a 12-month roadmap. We’ll work through your security questionnaire manually until then.
Encryption
TLS 1.3 in transit · AES-256 at rest
Video segments + database + backups all encrypted at rest. No traffic on plain HTTP.
Tenancy
RLS-enforced isolation
Every facility-scoped table has Postgres row-level security policies. Cross-tenant reads require explicit admin DSN.
Where your data lives
TinyGuard runs on three providers, each in US-region infrastructure:
- Application code & APIs — Cloudflare Workers (global edge, no fixed region). Stateless. Code is the same wherever your request lands.
- Database — Neon serverless Postgres, US-West region. Children, care events, staff, billing, EVV submissions, immunizations — all here. Every facility-scoped table has Postgres row-level security policies enforced at the database layer, not just in application code.
- Video segments & backups — Cloudflare R2, US infrastructure. Camera recordings (when you opt into cloud storage), database backups, and the audit log export. All encrypted at rest.
Live video has two paths. On-premises mode: recordings stay on the Raspberry Pi at your facility and never leave your network. Cloud mode: 7–90 days of segments uploaded to R2 (retention by plan), accessible only through signed JWT URLs that expire in minutes.
Network and authentication
- Cloudflare Tunnel from the Pi to our infrastructure. No open ports on your firewall. Replaces the older WireGuard-based device VPN.
- Camera streams authenticated with short-lived RS256-signed JWT tokens. URLs expire in minutes — you can’t share a permanent stream link.
- Application access — JWT-based auth with refresh-token rotation. Refresh-token reuse invalidates the entire family (detects token theft).
- Role-based authorization — owner / admin / staff / parent / super-admin. Every endpoint checks role + tenant scope.
- Audit logging — every access to PHI is timestamped and tied to a user identity. Retained 6 years (the HIPAA minimum) in the audit-log export.
AI features and what data they see
Several features in TinyGuard call out to AI providers:
- Daily report drafts — child name, age, today’s logged care events. Goes to Anthropic Claude.
- Observation polish — staff-typed observation text. Goes to Anthropic Claude.
- Lesson-plan generation — facility curriculum context + room metadata. Goes to Anthropic Claude.
- Incident root-cause analysis — incident text + photo descriptions. Goes to Anthropic Claude.
⚠️ Worth knowing
AI prompts may include child names, care notes, and facility context. Anthropic processes these through their API. Our BAA covers them as a subprocessor. If that’s a hard blocker, AI features can be disabled per-facility on request — the rest of the platform works without them. Anthropic offers a Zero Data Retention option, which we can enable on enterprise contracts.
What we contractually will not do
Four covenants shape the platform's architecture. Each is locked in every Master Service Agreement, each is carved out of the liability cap, and each is backed by operator attestation at intake — reaffirmed annually. Software-enforced per-room broadcast gates ship in June 2026. Procurement teams: this is the section your counsel will care about.
- No biometrics, ever. No face recognition, no voice prints, no fingerprints, no iris scans — by contractual covenant in MSA §3, reaffirmed in every state addendum that has a biometric statute (IL BIPA, WA, NYC LL3). Carve-out from the liability cap. Separately negotiated written amendment required to ever change. See the full No-Biometrics Covenant.
- Live-only video in the cloud. Footage is broadcast through Cloudflare's WebRTC relay as encoded video, not retained as ongoing archive. The only persistent video is on the in-room Raspberry Pi (incident footage) and the opt-in plan-tiered cloud archive when a facility enables it. Minimizes our exposure surface — we cannot hand over what we never stored.
- Enrollment-gated broadcast. Parents agree to the broadcast at enrollment, not stream-by-stream. The Center signs the operator attestation (TG-ATT-001) confirming 100% room coverage; this is the controlling enforcement mechanism. Per-room software gating — automatic broadcast suspend when consent or attestation lapses — ships June 2026.
- Audio off by default. Wiretap statutes apply (11+1 all-party-consent states). Audio is off by default in code across every installation. Turning it on requires a separate addendum with 100% staff + family coverage. Per-room signature-coverage gating ships June 2026 as part of the broadcast-gate rollout.
The full architecture is at tinyguard.co/legal/covenants. The controller/processor split that frames the legal obligations (Center = data controller, TinyGuard = processor) is detailed in the DPA (childcare) and the BAA (elder care).
Subprocessors
The full list of third parties that may process PHI when you use the platform:
| Subprocessor | What it handles | Data class |
|---|
| Cloudflare | Edge compute (Workers), R2 storage, Tunnel for Pi connectivity | All in-app data, video segments, audit logs |
| Neon | Postgres database hosting | Children, care events, staff, billing, EVV, immunizations |
| Anthropic | Claude API for daily reports / observations / lesson plans / RCA | Free-text PHI in AI features only (opt-out available) |
| OpenAI | Backup AI provider when Anthropic credits are exhausted | Same surface as Anthropic; only one provider serves a request |
| Stripe | Tuition / autopay / hardware checkout | Family billing identifiers, payment methods — never raw card numbers (Stripe handles PCI) |
| Resend | Transactional email (daily reports to parents, demo confirmations, billing receipts) | Email addresses + email body content |
| Twilio | SMS notifications + incoming text-to-message bridge | Phone numbers + message text |
The signed BAA names each subprocessor explicitly. We give 30 days’ notice if we add or change a subprocessor that touches PHI.
If something goes wrong
Breach notification within 60 days of confirmed discovery — sooner if we can. We tell you what happened, what PHI was affected, what we’re doing about it, and we coordinate the HHS notifications your BAA requires. Standard HIPAA breach-rule timing.
Data export on cancel within 30 days of a written request — full CSV/JSON export including raw audit logs. After your team confirms receipt, we destroy all copies including backups (90-day backup-retention window means full destruction completes within 120 days of cancellation).
SOC 2 status
We’re not SOC 2 Type II certified yet. We’re a startup in pilot phase. SOC 2 is on a 12-month roadmap that starts once we have paying customers and audit budget. If SOC 2 is a hard procurement requirement for your facility, tell us early — we’ll work through your security questionnaire manually and walk you through the controls we have shipped today.
What we don’t do: promise a SOC 2 date we can’t keep, or claim alignment we can’t demonstrate.
Special cases — talk to us early
A few scenarios need a real conversation, not a checkbox on a form:
- You’re subject to 42 CFR Part 2 (substance use disorder records) — stricter than HIPAA, needs specific BAA terms.
- You need data residency outside US (EU GDPR, California CMIA). We’re US-only today; reach out and we’ll discuss.
- Your IT team wants to penetration-test our infrastructure. We have a coordinated-disclosure policy — email us first.
- You need CMS audit-trail requirements beyond standard EVV. We’ll walk through what we capture.
tinyguard
← Back to tinyguard.co