Security you can trust

1.1 Data Encryption

All data is encrypted using industry-standard algorithms at rest and in transit.

1.2 Rate Limiting

Configurable per-agent rate limits protect against abuse. Set max messages per time window with custom messaging.

1.3 Tenant Isolation

Every organization's data is logically isolated. No clinic can access another clinic's data, conversations, or settings.

1.4 Access Controls

Role-based permissions, MFA support via Clerk, session timeouts, and email-based OTP verification for staff access.

Conversations disappear by default

When a session ends it's gone. No database, no record, no trace. Nothing is ever stored unless you choose it.

No selling, ever

Your data is never sold, rented, shared, or monetized. It exists solely to power your chatbot.

You own your data

Export or permanently delete all your data at any time from your dashboard. Deletion completed within 30 days.

Conversation history — your choice

Conversations are never stored by default. If you choose to enable conversation history, sensitive information is automatically detected and removed before anything reaches storage. All logs permanently delete after 30 days.

Signed agreements across the entire data chain

Google Cloud, OpenAI, and Clerk all operate under signed HIPAA Business Associate Agreements. Every subprocessor that touches your data is contractually bound to protect it.

Google Cloud Platform

• Google Cloud holds SOC 2, ISO 27001, ISO 27017, and ISO 27018 certifications covering the infrastructure Linkd runs on
• HIPAA-eligible infrastructure with BAA signed
• Physical security — 24/7 guards, biometric access
• Redundant power, cooling, fire suppression

Pinecone

Vector database for knowledge base search. Stores mathematical representations of Customer Content only. No patient or conversation data.

Data Residency

All data stored in Google Cloud US regions by default. Canadian and UK customers are covered under appropriate data transfer agreements including PIPEDA adequacy and UK IDTA clauses.

HIPAA-Conscious Design — Active

Technical safeguards aligned with 45 CFR § 164.312. Business Associate Agreement included at signup for all plans. No separate request needed.

PHIPA Support (Ontario) — Supported

Agent Agreement available for Ontario healthcare providers. Breach notification per PHIPA requirements.

UK GDPR — Supported

Data Processing Agreement with UK International Data Transfer Addendum available. ICO-aligned data handling for all UK customers.

GDPR (EU/EEA) — Supported

Data Processing Agreement with Standard Contractual Clauses available. Data subject rights assistance and subprocessor transparency.

Quebec Law 25 — Supported

Explicit consent mechanisms, 72-hour breach notification to CAI, privacy impact assessment support for Quebec customers.