Xelecta
Clinical-Grade Privacy Architecture

Your Biology.
Your Data.

Xelecta was designed with the premise that the most sensitive data you will ever generate — your genome, your glucose, your sleep — must be protected by architecture, not policy alone.

Six Security Pillars

Privacy is enforced at the infrastructure level. These aren't policies — they're architectural constraints.

Hardware-Isolated Genomic Processing

Your raw DNA sequence is processed exclusively within hardware-based Trusted Execution Environments (TEEs) — attested enclaves where even Xelecta engineers cannot access the data. The decryption key is derived from a value that only your device holds. We receive only the computed output (e.g., variant classifications), never the source data. The trust model relies on the silicon vendor's enclave guarantees.

End-to-End Encrypted Health Data

All health data — CGM readings, body composition metrics, HRV, and sleep architecture — is encrypted in transit with TLS 1.3 and at rest with AES-256. Encryption keys are user-held; Xelecta's infrastructure operates on ciphertext only.

No Data Monetization

Xelecta does not sell, license, or share your personal health data with pharmaceutical companies, insurers, data brokers, or advertisers. Ever. This is a foundational business commitment, not a marketing claim.

HIPAA Compliance Architecture

Our platform is designed to satisfy HIPAA's Security Rule (45 CFR Part 164). We maintain Business Associate Agreements with all sub-processors that handle PHI. Access controls, audit logging, and breach notification procedures meet or exceed HIPAA standards.

Granular Data Controls

You control exactly what data streams are active at any time. Disable CGM sync, revoke genomic access, or delete your entire account and all associated data from your dashboard at any time — no waiting period, no retention.

SOC 2 Type II Aligned

Our infrastructure and security practices are designed to meet SOC 2 Type II criteria across security, availability, processing integrity, confidentiality, and privacy trust service criteria.

Hardware-Isolated Genomic Processing

How your DNA data flows through Xelecta's confidential computing pipeline

1

Your Device

  • DNA file encrypted on your device
  • Key derived from device identity
  • Encrypted payload sent to enclave
2

Trusted Execution Environment

  • Encrypted payload decrypted inside TEE
  • Variant analysis computed in isolation
  • Only output results leave the enclave
3

Xelecta Platform

  • Receives computed variant classifications only
  • Never sees raw DNA sequence
  • Output stored encrypted under your key

Regulatory Compliance

We meet or exceed requirements under all major health data privacy regulations.

HIPAA

Health Insurance Portability and Accountability Act

  • Security Rule compliance (45 CFR Part 164, Subpart C)
  • Privacy Rule compliance (45 CFR Part 164, Subpart E)
  • Breach Notification Rule (45 CFR Part 164, Subpart D)
  • Business Associate Agreements with all PHI sub-processors
  • Annual HIPAA risk assessments conducted
GDPR

General Data Protection Regulation (EU/UK)

  • Lawful basis established for all data processing activities
  • Data Subject Rights: access, rectification, erasure, portability
  • Data Protection Impact Assessments for high-risk processing
  • 72-hour breach notification to supervisory authority
  • Cross-border transfer safeguards (SCCs / adequacy decisions)
CCPA

California Consumer Privacy Act

  • Right to know what personal data is collected and why
  • Right to delete personal information
  • Right to opt-out of sale of personal information (we do not sell)
  • No discrimination for exercising CCPA rights
  • Sensitive personal information handling controls

Technical Security Controls

TLS 1.3 in transit, AES-256 at rest

Hardware Security Module (HSM) key management

Multi-factor authentication enforced on all accounts

Role-based access control (RBAC) on internal systems

Continuous vulnerability scanning & penetration testing

Annual third-party security audit

Immutable audit logs with 7-year retention

Sub-processor vetting and BAA enforcement

Incident response plan with 24-hour SLA

Data residency: US-East primary, US-West DR

Platform & Infrastructure Partners

Who Handles Your Data — and How

Every third-party system that touches user data is listed here, with its specific role in the Xelecta architecture.

Terra API

Unified Health API

Aggregates device data streams from 100+ wearable sources into a single normalised feed

Apple Health · Google Health Connect

Health Data Sync

Native OS health data integration for iOS and Android users

Stripe

Secure Payment Infrastructure

PCI-DSS Level 1 payment processing — card data never touches Xelecta servers

VGS (Very Good Security)

Zero-Knowledge Data Vaulting

Sensitive form data is tokenised before it reaches Xelecta infrastructure — even VGS cannot read the plaintext values

Vital

Lab Logistics & Fulfillment

Diagnostic kit order routing, courier coordination, and results delivery

Note on terminology: “Zero-Knowledge Data Vaulting” is VGS’s own product name for their tokenisation service. Xelecta’s genomic data processing uses a separate technology — hardware-attested Trusted Execution Environments (Confidential Computing) — described above. These are two distinct privacy mechanisms serving different data types.

Product names and trademarks are the property of their respective owners.

For the full legal details of how we collect, use, and protect your data:

Privacy Policy HIPAA Notice Terms of Service