Security & Compliance

Our architecture eliminates patient data concerns by design.

We generate, never store. The K01 API creates 100% synthetic patient data on-demand — no real patient information is ever collected, processed, or stored in our production infrastructure.

Data Handling

All patient data is synthetically generated using algorithmic generation
Stateless architecture — no patient records persisted between requests
Deterministic seeds enable reproducible testing scenarios
Medical terminology (ICD-10, ATC codes) sourced from public reference datasets only

Encryption

All API communications encrypted via HTTPS/TLS
Automated certificate management with Let's Encrypt
Cloudflare edge encryption layer
No data at rest to encrypt — stateless by design

Access Control

Bearer token authentication on all protected endpoints
Timing-attack resistant token validation
Rate limiting (30-200 requests/minute depending on endpoint)
Cloudflare DDoS protection and Web Application Firewall

Infrastructure

On-premise servers located in Iceland (EU/EEA jurisdiction)
European data residency
Cloudflare proxy for edge protection
No third-party data processors — no real data to process

Compliance

GDPR European data residency (Iceland), no personal data processed

EU AI Act Synthetic training data supports compliant AI development

HIPAA Synthetic data is not PHI — concerns eliminated by design

BAA Available for enterprise customers

Roadmap SOC 2 and ISO 27001 certifications planned

Security Inquiries

For security questionnaires or compliance documentation:

[email protected]