Video clips are only created when an alert is triggered. They are never recorded continuously, and are stored for a maximum of 30 days or shorter at the customer's request.
Operational metadata like system logs and performance metrics contains no personal information and may be retained for diagnostics and system reliability.
All data is encrypted in transit and at rest using industry-standard methods including AES-256 and TLS.
Access to production systems is restricted to the minimum necessary, with multi-factor authentication and identity-based controls enforced at every level.
Every customer runs in a fully isolated cloud environment, ensuring no data is shared or accessible across accounts.
These measures are designed to give care organizations confidence that their data is handled with the same care they provide to the people they serve.
For organizations operating under HIPAA, Oddity is designed to meet the requirements of the Health Insurance Portability and Accountability Act. Because Oddity processes video material that may qualify as Protected Health Information (PHI), we sign a Business Associate Agreement (BAA) upon request.
All required administrative, physical, and technical safeguards are in place. Detailed documentation is available upon request.
Configurable retention and deletion: you define the retention period (up to 30 days) and can request secure deletion at any time.
Role-based access: access is limited to what each role requires, with multi-factor authentication always enforced.
Audit trails: every access event, export, and configuration change is logged and available for review.
Data residency options: hosting is available in the US and EU to meet regional and organizational requirements.
Subprocessor transparency: a current list of subprocessors and associated agreements (DPAs, BAAs) is available on request.
Incident response: documented procedures are in place for rapid notification, containment, and post-incident reporting.
