For Patients & Visitors

24/7 answers to common questions—no call needed

For Healthcare Teams

Protocols, contacts, and policies—found instantly

For Admins

Upload, organize, and manage your knowledge base

Use Cases
Pricing
Sign inGet Started →
Trust & Security

Security & Trust

Linkd HQ — Built with security at its core

Our Security Philosophy

Linkd is designed to provide controlled access to organizational knowledge, not to store or manage regulated clinical systems. Security is embedded in every layer of our architecture—from infrastructure to application to access controls.

Data Protection Commitments

Never Used for AI Training

Customer Content is never used to train, fine-tune, or improve AI models. Queries are processed in real-time and not retained by AI providers.

Data Never Sold

We do not sell, rent, license, or monetize your data in any form. Your information is used solely to deliver the Service.

Customer Control

You control publication, access settings, and visibility. Public exposure is always opt-in. Nothing is published externally unless you explicitly enable it.

Export & Delete Anytime

Request full data export or permanent deletion at any time. Complete deletion via cryptographic erasure within 30 days.

Platform Safeguards

Encryption & Key Management

At Rest

AES-256-GCM encryption

In Transit

TLS 1.3 with perfect forward secrecy

Key Management

Google Cloud KMS with automatic rotation

Backup Encryption

Encrypted with separate keys

Authentication & Access

Passwordless Authentication

Email-based OTP for Team Chat

Multi-Factor Authentication

MFA support via Clerk

Role-Based Access Controls

Admin, Staff, Patient-facing permissions

Session Security

Automatic timeout and concurrent session limits

Infrastructure & Network Security

Google Cloud Platform

SOC 2, ISO 27001, HIPAA-compliant hosting

DDoS Protection

Google Cloud Armor and rate limiting

Logical Tenant Isolation

Complete separation between organizations

Network Segmentation

Production isolated from development

Automated Monitoring

24/7 security event monitoring and alerting

Multi-Zone Redundancy

Automatic failover within region

Audit & Data Protection

Comprehensive Audit Logging

Who, what, when, where — every action logged

6-Year Log Retention

Healthcare compliance (HIPAA/PHIPA)

Tamper-Proof Logs

Append-only, cannot be modified after creation

Cryptographic Erasure

Data sanitization on deletion

Automated Daily Backups

30-day rolling retention, encrypted

Anomaly Detection

Automated alerting for suspicious activity

Compliance & Certifications

HIPAA Technical Safeguards

Implemented

Technical safeguards per 45 CFR § 164.312. BAA signed with Google Cloud Platform. Business Associate Agreement available to customers on all plans.

PHIPA Compliance (Ontario)

Implemented

Data residency in Canada (Toronto region). Agent Agreement available for Ontario healthcare providers. Privacy and security safeguards per PHIPA requirements.

SOC 2 Type II

Planned Q4 2027

Scope: Security, Availability, Confidentiality. Independent third-party audit. Report available under NDA upon completion.

Annual Penetration Testing

Planned 2027

Independent third-party security firm. Scope: web application, API, infrastructure, Team Chat.

Compliance Documentation Available

Upon request, we provide:

Security questionnaire responses
Vendor risk assessment documentation
Data Processing Agreements (DPA)
Business Associate Agreements (BAA)
Attestation letters
Incident response procedures

Security Testing & Validation

Vulnerability Scanning

Automated daily infrastructure scans. Weekly application security scans. Dependency vulnerability monitoring. Container image scanning before deployment.

Code Security

Static application security testing in CI/CD pipeline. Secret scanning (no credentials in code). Dependency security audits. Code review required for all production changes.

Responsible Disclosure

Found a security issue? Email seyran@linkdhq.com. We commit to acknowledging within 24 hours, providing status updates every 5 business days, and remediating critical issues within 7 days. No legal action against good-faith researchers.

Incident Response

In the unlikely event of a security incident, we respond swiftly and transparently.

15 min

Detection

Automated alerts trigger incident response

1 hour

Assessment

Severity classification and scope determination

4 hours

Containment

Stop unauthorized access, preserve evidence

24 hours

Customer Notification

Notify affected customers with full details

7 days

Remediation

Fix vulnerability, verify resolution, update controls

Breach Notification: We notify affected customers within 24 hours, regulatory authorities per legal requirements (HIPAA: 60 days, GDPR: 72 hours, PHIPA: without undue delay), and provide breach notification templates, technical details for your compliance team, and support during regulatory inquiries.

Incidents to Date: 0 (as of January 2026)

Employee Access & Training

Customer Data Access

Production data access is:

  • Logged with full audit trail
  • Approved for specific purposes only
  • Time-limited and auto-expires
  • Monitored for unusual patterns

Never Accessed For

  • Product development or testing
  • Sales or marketing purposes
  • Training AI models
  • Any unauthorized purpose

All employees sign confidentiality agreements, acceptable use policies, and undergo security awareness training. Access is immediately revoked upon termination.

Data Center & Infrastructure

Google Cloud Platform

SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018 certified. HIPAA-compliant with signed BAA. FedRAMP authorized. Physical security: 24/7 guards, biometric access, video surveillance. Environmental controls: redundant power, cooling, fire suppression.

Data Residency

US customers: Google Cloud US regions. Canadian customers: Toronto region (northamerica-northeast2). EU customers: EU regions available (Enterprise plan). Your data stays in your selected region. We do not replicate sensitive data across international borders without customer consent.

Disaster Recovery

Multi-zone deployment with automatic failover. Recovery Time Objective (RTO): < 4 hours. Recovery Point Objective (RPO): < 1 hour. Automated backups to separate geographic location. Documented and tested disaster recovery plan.

Shared Responsibility Model

Linkd Secures the Platform

  • • Infrastructure & application security
  • • Data encryption at rest and in transit
  • • Access controls & authentication
  • • 24/7 monitoring & incident response
  • • Backup, recovery & availability
  • • Compliance documentation & audits

Customers Control Content

  • • What content is uploaded
  • • Who has access & user permissions
  • • Public vs. private settings
  • • Compliance with their own regulations
  • • Staff training & appropriate use
  • • Obtaining necessary consents

Public exposure is always opt-in. Nothing is published externally unless you explicitly enable it.

Security Questions?

For security concerns, vulnerability reports, compliance documentation requests, or questions about our security practices, please contact us.

seyran@linkdhq.comPrivacy PolicyTerms of Service