Security at TendKin

Your family's care information is sensitive. Here's how we protect it.

Encryption in transit

All data is transmitted over TLS 1.2+. We use HTTPS everywhere and redirect any HTTP requests.

Encryption at rest

All data is encrypted at rest using AES-256. Private check-in data uses an additional encryption layer.

Access controls

Family member data is access-controlled. Your private check-ins can only be accessed by you. Employees cannot access private check-in content.

Breach notification

If we discover a security breach affecting your data, we will notify you within 72 hours via email. See the Compliance section below for details.

Compliance

We want to be straightforward about where TendKin sits. TendKin is a consumer service, not a HIPAA covered entity — we don't bill insurance or work inside the healthcare system. But we built it to healthcare-grade security practices anyway: encryption in transit and at rest, strict access controls, and breach notification within the timelines required by the FTC Health Breach Notification Rule (we aim to notify you within 72 hours of discovering a breach, well ahead of what the rule requires).

We never sell your data, and we never use your private check-in conversations for advertising. That's a commitment, not a setting.

Responsible disclosure

If you discover a security vulnerability in TendKin, please report it to security@tendkin.com. We review all reports and respond within 48 hours. We ask that you not publicly disclose vulnerabilities until we have had the opportunity to address them.

We do not operate a bug bounty program at this time, but we are grateful for responsible security research and will acknowledge your contribution.