Skip to main content

Privacy architecture

Consent first. Architecture, not policy.

The employer never sees an individual score. That is not a feature toggle. That is how the system is built. The rest of this page explains the architecture that enforces it and the consent document that governs it.

Aggregate onlyMinimum cohort floor enforced

Section 01

Three contractual commitments

These three lines live in the contract. They are not a feature in a settings panel. They are a boundary that the product architecture enforces.

  • 01

    No PHI leaves the clinical boundary.

  • 02

    No therapy notes are ever accessible to the employer.

  • 03

    No individual symptom scores are ever accessible to the employer.

Section 02

Cognifica AI Mental Health Hub

The branded name of the consent document, surfaced on both the workforce tenant and the clinical tenant. It is the same artifact whichever product applies to you.

Consent document text is available on request while the self serve download is in production.

Section 03

HIPAA posture

The clinical entity holds PHI under BAA. Aggregate measures flow to the tenant on a defined cadence. The scoped identity resolution required to run a clinical workflow is restricted to the Medical Provider role.

  • 01

    BAA on request

    Cognifica signs a Business Associate Agreement with every tenant that requires one. The clinical entity holds PHI.
  • 02

    HIPAA aligned infrastructure

    Encryption at rest and in transit. Role scoped access. Audit logging at the clinical boundary. Scoped identity resolution limited to the Medical Provider role.
  • 03

    No PHI in marketing tooling

    Marketing analytics never touch PHI. Cookie consent is honored before any non essential tooling runs. Global Privacy Control is respected.

Section 04

Crisis escalation

Anonymity may be paused only to connect urgent clinical or crisis support. It is the single exception to the identity boundary. The escalation runs through the Cognifica clinical team, not through the employer or the plan.

In crisis right now

  • Call 988 for the Suicide and Crisis Lifeline
  • Text 741741 for the Crisis Text Line
  • 01

    Automated in app escalation

    Crisis flags from a check in trigger an automated escalation to the designated crisis counselor.
  • 02

    LiveChat 24 by 7

    A secure messaging channel sits in front of the clinical team at all hours.
  • 03

    Warm handoff to 988

    When the situation calls for it, the counselor facilitates a warm handoff to the 988 Suicide and Crisis Lifeline.
  • 04

    Safety check in at 24 to 48 hours

    A follow up check in is scheduled. The record stays with the clinical team.

Section 05

AI does not diagnose

The system flags and stratifies. It does not diagnose. It does not decide. Clinical decisions are made by clinicians and initiated by humans.

01

Not used for diagnosis

02

Not for emergency response

03

Clinical decisions always initiated by a human

04

Transparent to the user

Section 06

Data lifecycle

Capture, revoke, retain, export. Each step has a defined rule. Each rule is auditable.

  • 01

    Consent captured up front

    Before a first check in, the user is walked through what is collected, who sees what, and how to revoke. The Cognifica AI Mental Health Hub consent document is the artifact that governs the relationship.
  • 02

    Revocable at any time

    Consent can be revoked from the user portal. The revocation is timestamped. Future check ins do not run. Past records are retained under the retention policy, or deleted on request.
  • 03

    Retention under a stated policy

    Clinical records are retained under the retention policy applicable to the clinical entity. Non clinical usage data is retained for the minimum period needed for platform operation.
  • 04

    Export on request

    Members and employees may export their own data in a portable format. The request runs through the clinical entity and is fulfilled within the timeframe the jurisdiction requires.

Read the detail

Privacy policy

The legal privacy policy is the long form document that accompanies this architecture.

Read the policyTalk to our counsel