We only retain video clips when an alert occurs, never recording continuously, and store them for a maximum of 30 days (or less at the customer's request).
Metadata such as system logs and performance metrics is never personal and may be retained for diagnostics.
All data is encrypted both at rest and in transit, using industry-leading methods like AES-256 and TLS.
Access to production systems follows strict least-privilege principles, with multi-factor authentication and identity-based controls.
Each customer operates in a fully isolated Virtual Private Cloud, ensuring no cross-account data exposure.
Together, these measures provide robust privacy, transparency, and trust for every organization we serve.
For customers that require it, Oddity maintains full 'Health Insurance Portability and Accountability Act' (HIPAA) compliance. Oddity processes video material which is considered PHI in the context of HIPAA. Oddity will sign a Business Associate Agreement (BAA) as required.
Oddity implements all necessary security and privacy measures in accordance with HIPAA. Documentation is available upon request.
Configurable retention & deletion: you set retention (up to 30 days) and can trigger secure deletion at any time.
Role-based access: least-privilege roles with MFA always enforced.
Audit trails: every view, export, and configuration change is logged for review.
Data residency options: US/EU hosting available to meet policy needs.
Subprocessor transparency: current subprocessor list and DPAs/BAAs available on request.
Incident response: documented procedures with rapid notification and post-incident reporting.
