Last Updated: November 29, 2025
β
1. Our Security Commitment
β
OxyZen Medical Technology LLC is committed to protecting the confidentiality, integrity, and availability of your personal and health data. We implement industry-leading security practices and comply with applicable data protection regulations including:
β
- HIPAA: Health Insurance Portability and Accountability Act (where applicable)
- GDPR: General Data Protection Regulation (EU)
- CCPA: California Consumer Privacy Act
- ISO 27001: Information Security Management Standards
- SOC 2 Type II: Security and Availability Controls (in progress)
β
2. Data Encryption
β
2.1 Data in Transit
β
β All data transmitted between your device and our servers is encrypted using industry-standard protocols.
β
- TLS 1.3: Transport Layer Security with forward secrecy
- AES-256 encryption: Advanced Encryption Standard for data transmission
- Certificate pinning: Prevents man-in-the-middle attacks in mobile app
- HTTPS only: All web communications encrypted by default
- Bluetooth encryption: Secure pairing between ring and mobile device
β
2.2 Data at Rest
β
β Your stored data is encrypted using military-grade encryption standards.
- AES-256 encryption: All health data encrypted in our databases
- Encrypted backups: All backup copies are encrypted
- Encrypted file storage: Documents and files encrypted at rest
- Database encryption: Full database encryption enabled
- Key management: Encryption keys stored separately using AWS KMS or Azure Key Vault
β
2.3 End-to-End Encryption
- Certain sensitive communications use end-to-end encryption
- Health data synced between devices is encrypted locally before transmission
- Only you have access to decrypt certain personal data
β
3. Data Storage & Infrastructure
β
3.1 Secure Cloud Infrastructure
β
OxyZen uses industry-leading cloud providers with robust security certifications:
β
ServiceProviderSecurity FeaturesData HostingAWS / AzureSOC 2, ISO 27001, HIPAA compliantDatabaseAWS RDS / Azure SQLEncrypted, automated backups, multi-regionFile StorageAWS S3 / Azure BlobEncrypted, versioned, access-controlledCDNCloudFlareDDoS protection, WAF, SSL/TLS
β
3.2 Data Centers
β
- Geographic redundancy: Data replicated across multiple regions
- Physical security: 24/7 monitoring, biometric access controls
- Environmental controls: Climate control, fire suppression, backup power
- Compliance certifications: SOC 2, ISO 27001, PCI DSS certified facilities
β
3.3 Data Residency
β
- Primary location: United States (US-East region)
- EU data: Stored within EU data centers for GDPR compliance
- Data sovereignty: Compliance with local data residency requirements
- Cross-border transfers: Use of Standard Contractual Clauses where required
β
4. Access Controls
β
4.1 User Authentication
β
β Multiple layers of authentication protect your account.
β
- Strong password requirements: Minimum 8 characters with complexity requirements
- Multi-factor authentication (MFA): Optional 2FA via SMS or authenticator app
- Biometric authentication: Fingerprint/Face ID for mobile app access
- Session management: Automatic logout after inactivity
- Password hashing: Bcrypt with salt for password storage (never plain text)
- Account lockout: Temporary lockout after failed login attempts
β
4.2 Employee Access
β
- Least privilege principle: Employees only have access to data necessary for their role
- Role-based access control (RBAC): Strict permission levels
- Access logging: All data access is logged and audited
- Background checks: All employees undergo security screening
- Confidentiality agreements: All staff sign NDAs and security policies
- Access reviews: Quarterly reviews of employee access rights
β
4.3 API Security
β
- OAuth 2.0: Secure authorization framework for third-party integrations
- API keys: Unique keys for each integration with rate limiting
- Token expiration: Access tokens expire and require renewal
- IP whitelisting: Restrict API access to approved IP addresses
- API monitoring: Real-time monitoring for suspicious activity
β
5. Network Security
β
5.1 Perimeter Security
β
- Web Application Firewall (WAF): Protection against common web attacks
- DDoS protection: CloudFlare protection against distributed denial of service
- Intrusion Detection System (IDS): Real-time threat detection
- Intrusion Prevention System (IPS): Automatic blocking of suspicious traffic
- VPN access: Secure VPN required for administrative access
β
5.2 Network Segmentation
β
- Production, staging, and development environments are isolated
- Database servers are on private subnets with no direct internet access
- Microservices architecture with isolated network zones
- Zero-trust network model implementation
β
6. Application Security
β
6.1 Secure Development Practices
β
Security by Design: Security is built into every stage of development, not added as an afterthought.
β
- Secure coding standards: OWASP Top 10 compliance
- Code reviews: Mandatory peer review before deployment
- Static code analysis: Automated scanning for vulnerabilities
- Dependency scanning: Regular checks for vulnerable third-party libraries
- Security testing: Penetration testing and vulnerability assessments
β
6.2 Input Validation & Sanitization
β
- All user inputs are validated and sanitized
- Protection against SQL injection, XSS, and CSRF attacks
- Parameterized queries for all database operations
- Content Security Policy (CSP) headers implemented
β
6.3 Regular Updates & Patching
β
- Critical security patches applied within 24 hours
- Regular updates to all software dependencies
- Automated vulnerability scanning
- Patch management process with testing and rollback procedures
β
7. Mobile App Security
β
7.1 App Security Features
β
- App sandboxing: Isolated app environment on your device
- Secure storage: Keychain (iOS) and Keystore (Android) for sensitive data
- Code obfuscation: Protection against reverse engineering
- Certificate pinning: Prevents man-in-the-middle attacks
- Jailbreak/root detection: App refuses to run on compromised devices
- Screen capture prevention: Sensitive screens cannot be screenshotted
β
7.2 Device Security
β
- Biometric authentication support (Face ID, Touch ID, fingerprint)
- Automatic data wipe after multiple failed authentication attempts
- Remote device wipe capability through account settings
- Device encryption required (enforced by iOS/Android)
β
β
8. OxyZen Ring Device Security
β
8.1 Hardware Security
β
- Secure element: Dedicated security chip for sensitive operations
- Encrypted firmware: Device firmware is digitally signed and encrypted
- Secure boot: Prevents unauthorized firmware modifications
- Tamper detection: Hardware designed to detect physical tampering
β
8.2 Bluetooth Security
β
- Bluetooth Low Energy (BLE) with encryption
- Secure pairing process with PIN/passkey
- Connection only to authorized devices
- Automatic disconnect on suspicious activity
β
8.3 Firmware Updates
β
- Encrypted over-the-air (OTA) updates
- Digitally signed updates to prevent tampering
- Automatic security patches
- Rollback capability in case of update issues
β
9. Data Backup & Recovery
β
9.1 Backup Procedures
β
- Automated backups: Daily incremental, weekly full backups
- Encrypted backups: All backups encrypted at rest
- Geographic redundancy: Backups stored in multiple geographic locations
- Retention policy: Backups retained for 90 days
- Backup testing: Regular restoration tests to ensure data integrity
β
9.2 Disaster Recovery
β
- Recovery Time Objective (RTO): 4 hours maximum downtime
- Recovery Point Objective (RPO): Maximum 1 hour of data loss
- Failover systems: Automatic failover to backup systems
- Business continuity plan: Documented procedures for disaster scenarios
- Annual testing: Full disaster recovery drills
β
10. Monitoring & Incident Response
β
10.1 Security Monitoring
β
β 24/7 automated monitoring and alerting for security threats.
β
- Real-time monitoring: Continuous monitoring of all systems
- Security Information and Event Management (SIEM): Centralized log analysis
- Anomaly detection: AI-powered detection of unusual activity
- Alert escalation: Automatic escalation of critical security events
- Audit logging: Comprehensive logs of all system activities
β
10.2 Incident Response
β
In the event of a security incident, we follow a structured response process:
β
- Detection & Analysis: Identify and assess the security incident
- Containment: Isolate affected systems to prevent further damage
- Eradication: Remove the threat and close vulnerabilities
- Recovery: Restore systems and verify normal operation
- Post-Incident Review: Analyze incident and improve security measures
- Notification: Inform affected users as required by law (within 72 hours for GDPR)
β
10.3 Security Incident Notification
β
If a security breach affects your data, we will:
- Notify you within 72 hours of discovering the breach (GDPR requirement)
- Provide details about what data was affected
- Explain the steps we're taking to address the breach
- Offer guidance on protecting yourself
- Notify relevant regulatory authorities as required
β
11. Third-Party Security
β
11.1 Vendor Management
β
- Due diligence: Security assessments before engaging vendors
- Contracts: Data processing agreements with security requirements
- Regular audits: Annual security reviews of key vendors
- SOC 2 compliance: Preference for SOC 2 certified vendors
- Limited access: Vendors only access data necessary for services
β
11.2 Third-Party Integrations
β
- All integrations reviewed for security before approval
- OAuth 2.0 authorization with limited scopes
- User consent required for data sharing
- Regular security reviews of active integrations
- Ability to revoke access at any time
β
12. Compliance & Certifications
β
12.1 Current Compliance
β
Standard/RegulationStatusDescriptionGDPRβ CompliantEU data protection regulationCCPAβ CompliantCalifornia consumer privacy rightsHIPAAβ AlignedHealth data security standardsSOC 2 Type IIIn ProgressSecurity controls audit (expected Q2 2026)ISO 27001PlannedInformation security management (target 2026)
β
12.2 Regular Audits
β
- Internal audits: Quarterly security audits by internal team
- External audits: Annual third-party security assessments
- Penetration testing: Semi-annual ethical hacking tests
- Compliance audits: Regular GDPR and CCPA compliance reviews
β
13. User Security Best Practices
β
Your Role in Security: While we implement robust security measures, your security also depends on your actions. Follow these best practices:
β
13.1 Account Security
β
- Use a strong, unique password: At least 12 characters with mix of letters, numbers, symbols
- Enable two-factor authentication: Add an extra layer of security
- Don't share your password: Keep credentials confidential
- Use a password manager: Securely store and generate strong passwords
- Change password if compromised: Update immediately if you suspect unauthorized access
β
13.2 Device Security
β
- Keep devices updated: Install OS and app updates promptly
- Enable device encryption: Use built-in encryption features
- Use screen lock: PIN, pattern, or biometric lock
- Install from official sources: Only download apps from App Store/Google Play
- Don't jailbreak/root: Compromises device security
β
13.3 Recognize Phishing
β
Warning: OxyZen will NEVER ask for your password via email, text, or phone. Be wary of suspicious messages claiming to be from OxyZen.
- Verify sender email addresses carefully
- Don't click links in suspicious emails
- Verify requests by contacting us directly
- Report suspicious communications to hello@oxyzen.ai
β
13.4 Public Wi-Fi
- Avoid accessing sensitive information on public Wi-Fi
- Use a VPN when on public networks
- Ensure HTTPS is enabled (look for padlock icon)
- Disable auto-connect to Wi-Fi networks
β
14. Data Retention & Deletion
β
14.1 Data Retention
- Active accounts: Data retained while account is active
- Inactive accounts: Accounts inactive for 3+ years may be deleted
- Health data: Retained according to user preferences (can be deleted anytime)
- Transaction records: Retained for 7 years for tax/legal compliance
- Logs: Security logs retained for 1 year
β
14.2 Secure Data Deletion
- User-initiated deletion: You can delete your data anytime via app settings
- Account deletion: Full account deletion within 30 days of request
- Secure erasure: Data securely overwritten, not just marked for deletion
- Backup deletion: Data removed from backups within 90 days
- Deletion confirmation: Email confirmation when deletion is complete
β
15. Privacy by Design
β
OxyZen incorporates privacy and security into every aspect of our product:
- Data minimization: We only collect data necessary for our services
- Purpose limitation: Data used only for stated purposes
- User control: You control your data and privacy settings
- Transparency: Clear communication about data practices
- Default privacy: Strictest privacy settings by default
β
16. Vulnerability Disclosure
β
16.1 Responsible Disclosure Program
β
We welcome reports of security vulnerabilities from security researchers and users.
β
Report Security Issues: If you discover a security vulnerability, please report it to security@oxyzen.ai
β
When reporting, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Your contact information
β
Our commitment:
- We will acknowledge your report within 48 hours
- We will investigate and respond with our findings
- We will not pursue legal action against researchers who follow responsible disclosure
- We may offer recognition for significant findings (with your permission)
β
16.2 Bug Bounty Program
β
We are planning to launch a bug bounty program in 2026 to reward security researchers for discovering vulnerabilities.
β
17. Updates to Security Practices
β
We continuously improve our security measures. Updates to this document will be posted with a new "Last Updated" date. Significant changes will be communicated via:
β
- Email notification to all users
- In-app notification
- Website announcement
β
18. Contact Our Security Team
β
For security-related questions or to report a security issue:
β
OxyZen Medical Technology LLC
PA 15238
United States
β
Security Email: security@oxyzen.ai
Privacy Email: privacy@oxyzen.ai
General Inquiries: hello@oxyzen.ai
Phone: +1 646 989 3331
β
Security Incident Reporting: security@oxyzen.ai (monitored 24/7)
β
For PGP-encrypted communications: PGP key available upon request
β
Your Security is Our Priority: We are committed to maintaining the highest standards of security and data protection. If you have any questions or concerns about how we protect your data, please don't hesitate to contact us.
β
