Security & Compliance
Data Handling
DeepaData processes emotionally sensitive data with encryption, consent management, and configurable retention policies. Every artifact includes governance metadata documenting how data was handled.
Encryption
All data is encrypted at rest and in transit using industry-standard protocols.
In Transit
- TLS 1.3 for all API connections
- HSTS with preload for web console
- Certificate pinning for SDKs
At Rest
- AES-256 encryption for stored data
- Hardware security modules (HSMs) for key management
- Encrypted backups with 90-day retention
Consent Management
Every artifact includes a governance domain documenting the legal basis for processing. DeepaData supports multiple consent models for different regulatory contexts.
| Consent Basis | Description | Use Case |
|---|---|---|
consent | Explicit consent from data subject | Consumer apps, coaching platforms |
contract | Necessary for contract performance | Therapy platforms, employer services |
legitimate_interest | Legitimate interest with balancing test | Research, aggregate analytics |
vital_interest | Protection of vital interests | Crisis intervention, safety escalation |
none | No legal basis specified | Development, testing, stateless mode |
Governance Metadata
Every artifact's governance domain captures:
- Jurisdiction (GDPR, HIPAA, CCPA, etc.)
- Consent basis and timestamp
- Data controller identity
- Retention policy
Retention Policies
Retention is configurable per artifact. DeepaData enforces retention policies and provides automated deletion.
Time-Based Retention
Set retention periods (7 days, 30 days, 1 year, etc.) in the governance domain. Artifacts are automatically deleted after expiration.
Subject-Initiated Deletion
VitaPass holders can revoke consent and request deletion of all artifacts linked to their subject ID. Deletion propagates to all dependent systems.
Certificate Retention
Certificates in the registry are retained separately from artifact content, providing audit trail continuity even after data deletion.
VitaPass Integration
VitaPass provides cryptographic consent attestation, binding artifacts to verified subject identity and consent grants.
How VitaPass Works
- 1Subject creates a VitaPass identity with cryptographic key pair
- 2Subject grants scoped consent to specific applications or practitioners
- 3Each artifact references the consent grant and subject ID
- 4Verification confirms consent is active and scope is valid
Note: VitaPass consent grants are time-bounded and scope-limited. A grant for "therapy notes" does not authorize access to "employment records." Grants can be revoked at any time by the subject.
API Key Scopes
API keys are scoped to limit access to specific operations and data.
| Scope | Permissions |
|---|---|
extract | Create extractions, observations, and batch uploads |
validate | Validate artifacts against schema |
issue | Seal artifacts into .ddna envelopes |
verify | Verify envelopes and retrieve certificates |
vitapass | Manage consent scopes and presentations |