Security & Trust — CheckIn Health

Anonymous by Design

No accounts. No names. No PII required.

CheckIn does not require members to create accounts, provide names, or supply any personally identifying information to use the app. Each user is identified only by a device-generated anonymous ID.

This is intentional. Anonymity removes the barrier to participation that traditional mental health resources depend on — and it removes the surveillance risk that institutions are right to worry about.

What this means for your institution

No PII collection means no individual employee, student, or member is identifiable through CheckIn data — even to administrators. The dashboard shows population trends. Never individuals.

This also significantly reduces the regulatory burden of institutional deployment under federal and state mental health privacy frameworks.

Security Posture

How CheckIn protects the data it does collect.

Encryption in Transit and at Rest

All data is encrypted in transit (TLS) and at rest. Sensitive backend operations run over secure connections to managed PostgreSQL.

Device-Generated Identifiers

User identity is established through anonymous device-generated IDs. There is no central registry linking those IDs to real-world identities.

No Cross-User Visibility

Members cannot view each other's data. Administrators cannot view individual member data. The dashboard surfaces only population-level aggregates.

SMS Compliance

LifeSaver SMS alerts are sent through Twilio with A2P 10DLC registration and approved Toll-Free Verification — meeting current US carrier compliance requirements.

HIPAA-Ready Architecture

The platform is architected to support HIPAA compliance when deployed by covered entities. Business Associate Agreements (BAAs) are available for institutional partners where required.

Insurance & Coverage

CheckIn Health LLC carries Errors & Omissions, Cyber, and General Liability insurance with a Digital Health Endorsement covering bodily injury for electronic mental health services.

Infrastructure

Modern, US-hosted, defensible.

Hosting

Backend services and admin dashboard hosted on US-based managed cloud infrastructure (Render, Vercel). Database (PostgreSQL) hosted in US data centers.
Mobile Apps

Native iOS and Android applications, distributed exclusively through the official Apple App Store and Google Play Store. Code-signed and reviewed by both platforms.
SMS Delivery

Twilio with active A2P 10DLC registration (Low Volume Mixed) and approved Toll-Free Verification on the toll-free number used for crisis-related alerts.
Data Residency

All member data is stored in US data centers. No international data transfer is performed as part of standard operation.
Legal Entity

CheckIn Health LLC, a US-registered limited liability company. All intellectual property is owned by the entity.

In Honest Terms

What we have — and what we're working toward.

CheckIn is an early-stage platform in active deployment. We believe institutional buyers deserve direct answers about where the security program is today and where it's going.

Today

Anonymous-by-design architecture, encryption in transit and at rest, US-hosted infrastructure, Twilio A2P 10DLC compliance, full E&O coverage with Digital Health Endorsement.
Available on Request

Business Associate Agreement (BAA) for HIPAA-covered entities, security questionnaires for institutional procurement reviews, references from current pilot partners.
Roadmap

SOC 2 Type 1 attestation, formal third-party penetration testing, expanded compliance certifications as institutional partnerships scale.

Documentation

Legal and policy documents

Our public-facing legal documents are linked below. Institutional partners reviewing CheckIn for procurement can request additional documentation directly.

Privacy isn't a feature. It's the foundation.