Signal Labs

Security & Data Governance

Privacy is the architecture, not a policy bolt-on. HR never receives an individual record because the system is built so it cannot.

Effective 2026-06-13

The guarantee, in architecture

  • HR sees only cohort aggregates. Every HR query is served as k-anonymous (k ≥ 5) output with differential privacy(ε-budgeted). Cells below the k-threshold are suppressed. Individual rows are blocked by row-level security — there is no API path that returns one.
  • The model narrates, it never decides. The 0–100 Signal Score is computed deterministically on the server. The LLM only produces plain-language narration over an already-final result; it cannot change a score, band, or trend.
  • Model keys never touch health data pods. LLM provider keys live only in the shared AI gateway. Screening services hold no model credentials and call narration through a governed dispatch boundary.

Data residency

Each organization carries a residency region (eu / uk / us/ …). Subject health data and FHIR Observations are stored in-region. Residency is enforced twice: at the dispatch boundary (a non-region request is rejected and audited) and at the model gateway (an EU tenant is served only by EU-resident providers). EU subject data does not leave the EU.

Consent & device connections

Every connected device — via on-device HealthKit/Health Connect, the Terra aggregator, or direct OAuth/BLE — writes an explicit, logged consent record. Revocation deletes tokens and stops ingest end-to-end. All sources normalize to the FHIR R4 Observation model.

Compliance posture

  • GDPR (Irish DPC lead supervisory authority); DPIA, RoPA, and a named DPO.
  • EHDS (Reg (EU) 2025/327) — EU-resident processing baseline.
  • UK GDPR + DPA 2018 with a UK representative; HIPAA BAA where Signal acts as a business associate.
  • US state health-privacy laws (CCPA/CPRA, Washington My Health My Data Act, and others by tenant profile).

Reporting a vulnerability

Please report suspected vulnerabilities to security@signal-labs.health. We acknowledge reports and coordinate disclosure.

This page describes the engineering posture; specific regulatory mappings are validated by Irish/EU and per-jurisdiction counsel before launch.