Log and monitoring data, confidence scores, and performance metrics. Always numeric/textual; never image or video; never personal information. Stored for diagnostics.
Short clips only when an alert occurs; may contain PHI under HIPAA. Default retention is 30 days (silent phase and normal ops), and can be reduced per customer policy. VMS storage is customer-controlled.
In transit: IPSec VPN; TLS between services; SSH (AES) for maintenance.
At rest:AES-256 for Google Cloud; All data is transmitted and stored encrypted.
Oddity signs a BAA upon request and implements required administrative, physical, and technical safeguards; breach notification and mitigation; subcontractor controls; and access/amendment processes for PHI. For more information, visit Privacy & HIPAA alignment.
Security and privacy are built into the product lifecycle to ensure high availability and protection of sensitive data.
Hosted on Google Cloud Platform with isolated per-customer VPCs. Google Cloud provides state-of-the-art security and aligns with HIPAA and SOC 2 Type II.
