Privacy by design. Security by default.

Trust is clinical. If privacy is unclear or security is shaky, people disengage—and prevention fails. Kay is built privacy-first and security-by-default, so support can show up before things spiral, without creating new risk.

Our posture

We build for trust first. Kay runs on a HIPAA-compliant foundation with encryption in transit and at rest, least-privilege access, and audited change controls. We collect the minimum needed to help, keep PHI segmented from ops logs, and give you clear export, deletion, and revocation controls. Continuous monitoring, third-party testing, and BAAs for eligible organizations are standard—not add-ons.

HIPAA Alignment

HIPAA-compliant operations with BAAs available for eligible organizations.

Encryption Everywhere

TLS in transit and strong encryption at rest for protected data.

Least -privledge access

Role-based controls and administrative seperation of duties

Data Segmentation

PHI isolated from analytics systems and operational logs.

Audit Logging

Comprehensive logs for access and configuration changes (who/what/when).

Change Management

Gated releases with the ability to rapidly roll back if needed.

Monitoring + incident response

Continuous monitoring and alerting, vulnerability management, and documented incident response runbooks.

Independent Testing

Regular third-party penetration tests and security assessments.

Two people analyzing data on a screen connected to a server.

We build for trust first. Protected health information lives in segregated, encrypted stores; operational logs are designed to exclude PHI by default. We collect only what’s needed to be helpful, retain it only as long as required to deliver the service and meet legal obligations, and support patient-initiated deletion and provider unlinking. Backups are encrypted and restoration is regularly tested.

Security is continuous, not a checkbox. Our environment is monitored 24/7 for availability, authentication anomalies, and unusual access patterns, with documented incident-response runbooks and clear notification procedures. We maintain a coordinated vulnerability-disclosure channel and engage independent firms for recurring penetration tests and security reviews.

For enterprise teams, we align to your controls: SSO (SAML/OIDC) and, where applicable, SCIM for provisioning; strong MFA for privileged accounts; network protections including firewalling, WAF, rate limiting, and DDoS mitigation; and configuration hygiene via infrastructure-as-code, secrets management, and regular key rotation. We operate under HIPAA-aligned safeguards and offer BAAs for eligible organizations alongside standard data-processing addenda.

Data Handling, Monitoring & Enterprise Controls

Animated woman with bun, glasses, and black turtleneck smiling.

How Kay uses AI safely

Our AI is constrained by design. It only suggests safe, pre-approved steps and explains itself in plain English.

  • Constrained Suggestion Library — One human-sized step from a whitelisted library grounded in CBT, DBT, Mindfulness, Motivational Interviewing, and Emotion Regulation—never open-ended or high-risk advice.
  • Explainable by Default — Each suggestion includes a clear, plain-language rationale.
  • Crisis Routing — Safety signals and crisis language trigger template-locked guidance to emergency resources (e.g., 988/911 in the U.S.).
  • No Diagnosis — Kay does not diagnose, treat, or replace clinical care.


Learn more in our AI Policy (guardrails, fairness checks, monitoring).