Solution

Security and
data protection

Built for care environments, with privacy built in by default.

We minimize
the data we touch

Oddity is designed to reduce exposure to sensitive information from the start.

Sensitive data is limited by design, not policy alone

Video is accessed only for real incidents, not continuous monitoring

Customers retain control over long-term video storage

Most of what we process is not video and not personal data

The two types of data
we use

Metadata

Operational metadata (default)

Used to run the system reliably and securely. Includes logs and monitoring data, confidence scores, and performance metrics.

  • Numeric and text-only
  • No images or video
  • No personal data
Alert video clips

Alert video clips (only when needed)

Short clips are created only to provide context for detected incidents. Default retention is 30 days. Retention can be shortened per customer policy. Full video storage remains under the customer's control in their existing video system.

  • Contains PHI only when necessary
  • Strict, configurable retention

Strict security
and privacy by design

Oddity is built for care environments, protecting people while safeguarding sensitive data from the start.

Data protection

How your data is protected

Only short alert clips are transmitted, and they are always encrypted so unauthorized parties can't read them.

  • Data is protected while moving and while stored
  • No bulk footage transfer
  • No continuous video upload
Regulated care

Designed for regulated care environments

Oddity is built to meet the needs of healthcare and human-service organizations.

  • HIPAA-aligned, with Business Associate Agreements available
  • Designed to support audits, compliance, and responsible data handling
  • Built on secure, enterprise-grade cloud infrastructure
Privacy by design

Privacy by design

Security and privacy are embedded throughout the product lifecycle, not added later, to ensure high availability while protecting sensitive data.

For teams that need technical detail, Oddity adheres to rigorous, industry-standard security practices.

Encryption

Encryption (in transit and at rest)

  • In transit: IPSec VPN, TLS between services, SSH (AES) for maintenance
  • At rest: AES-256 encryption on Google Cloud
Authentication and access control

Authentication and access control

  • Google Cloud access via OAuth 2.0 with mandatory 2FA and least-privilege permissions
  • Tailscale SSH with identity-based access and ACL controls
  • Camera stream authentication handled per platform (e.g., Digest authentication for RTSP)
  • Microsoft Teams integrations use secure API authentication
HIPAA and BAA

HIPAA and Business Associate Agreements

Oddity signs a Business Associate Agreement upon request and implements required safeguards, including:

  • Administrative, physical, and technical protections
  • Breach notification and mitigation procedures
  • Subcontractor controls
  • Access and amendment processes for PHI

For more information, visit Privacy and HIPAA alignment.

Cloud platform security

Cloud platform security

Oddity is hosted on Google Cloud Platform, with:

  • Isolated, per-customer virtual private clouds (VPCs)
  • Infrastructure aligned with HIPAA and SOC 2 security principles
  • Continuous monitoring and enterprise-grade security controls