← Back to Zyntha
Our Compliance Posture
A plain-language description of where Zyntha stands today on HIPAA, BAAs, and personal health information. Honest accounting, no marketing.
Current posture:
warnings only
Zyntha is currently not HIPAA-certified. We have not yet executed Business Associate Agreements (BAAs) with our infrastructure or AI providers. We ask users not to submit personal health information into platform forms until we publicly announce certification.
What this means in practice
Zyntha is an informational platform: we summarize published research, clinical-trial activity, and community discussion in brain-cancer disease areas. We are not yet a covered entity or business associate under HIPAA. That means:
- The platform is safe to use for reading, browsing, and general community participation.
- It is not safe to submit identifiable medical data — diagnosis details, medication names and dosages, symptom narratives, treatment dates, lab results, or names of providers — into our forms.
- Our portals are organized by tumor type as a topical filter. Selecting a portal is not the same as submitting a diagnosis; portal selection is the level of personalization we ask for.
What we collect today
| Data | How we treat it |
|---|
| Email + display name | Standard account identifier. Required for login. |
| Portal selection | Topical interest filter. Not treated as PHI. |
| Newsletter subscription (email, portal, language) | Standard contact data. Used only for the Sunday brief. |
| Community posts and replies | User-authored content. We ask users not to include personal medical details and surface a reminder before submission. |
| Saved trials, tracked topics, followed authors | User-declared interests. Not health information. |
| Optional structured health forms (diagnosis profile, check-ins, medications, journey) | Visible in the UI but pre-fixed with a "do not enter PHI" warning. Submissions are timestamped in an internal audit log so we have visibility on whether the warnings are respected. |
Third-party providers
Zyntha uses the following third parties. As of today, none of these are covered by a Business Associate Agreement with us. Until BAAs are in place, we do not send identifiable personal health information into any of them:
- Anthropic (Claude) — content synthesis and brief generation. Prompts contain portal-level context (e.g. "pituitary oncology") and aggregate signal counts. Names, free-text diagnosis strings, and medication identities are stripped before any call.
- Google (Gemini / embeddings) — content embeddings for similarity search. We embed published articles and trials, not user-supplied health text.
- SendGrid — newsletter and transactional email delivery. The newsletter is portal-specific, not subscriber-clinically-personalized.
- Heroku / Heroku Postgres — hosting and database. The current Heroku plan is not HIPAA-eligible. Migrating to a HIPAA-eligible plan and executing a BAA is part of our certification roadmap.
What we are doing about it
- Today (pre-cert): warnings on every form that asks for clinical data, a server-side consent gate at signup, audit logging of any PHI write attempts so we have visibility, de-identification of every third-party API call.
- Underway: reviewing the BAA chain (Heroku, Anthropic, Google, SendGrid) and the infrastructure migration required to support it. Encryption at rest. Data retention and deletion policies.
- Future: when HIPAA certification and BAAs are in place, we will publicly announce it and the warnings on this page will be replaced with the certified posture.
If you are a researcher, partner, or press and want to talk about Zyntha's compliance roadmap, reach out at
platform@zyntha.com.
This page is the canonical statement of Zyntha's compliance posture. It is read by the application's runtime configuration and updates automatically when the posture changes.