Compliance Guide: GDPR, HIPAA, SOC 2 for Encrypted Communication

1. Data Protection by Design & Default (Article 25)

Implement technical and organizational measures to ensure high level of security:

• Pseudonymization and encryption of personal data
• Ability to ensure confidentiality, integrity, availability
• Ability to restore access to personal data after incidents
• Regular testing and assessment of security measures

HexBurn Compliance: ✓ Zero-knowledge AES-256 encryption, ✓ No personal data storage, ✓ Client-side processing

2. Lawful Basis for Processing (Article 6)

You must have legal grounds to process personal data:

• Consent: Clear, specific, informed, unambiguous agreement
• Contract: Processing necessary for contract performance
• Legal obligation: Required by law
• Legitimate interests: Your business needs (with balancing test)

3. Data Subject Rights (Articles 15-22)

Individuals have rights over their personal data:

• Right to access: Confirm what data you process
• Right to rectification: Correct inaccurate data
• Right to erasure ("right to be forgotten"): Delete their data
• Right to data portability: Receive data in machine-readable format
• Right to object: Stop processing for legitimate interests

HexBurn Compliance: ✓ No data stored = nothing to access/delete, ✓ User controls all data, ✓ Automatic erasure

4. Data Breach Notification (Article 33-34)

Notify authorities within 72 hours of becoming aware of breach:

• Supervisory authority notification: Within 72 hours
• Individual notification: If high risk to rights and freedoms
• Document all breaches: Even if not reported

HexBurn Compliance: ✓ Encrypted data is unreadable even if intercepted, ✓ Zero-knowledge = no data to breach

5. International Data Transfers (Chapter V)

Restrictions on transferring EU data outside EEA:

• Adequacy decisions: Transfer to countries EU deems adequate
• Standard Contractual Clauses (SCCs): Approved contract templates
• Binding Corporate Rules (BCRs): For multinational companies

HexBurn Compliance: ✓ Client-side encryption = no data transfer, ✓ Data stays on user's device

1. Privacy Rule - PHI Protection

Protected Health Information (PHI) includes:

• Names, addresses, phone numbers, email addresses
• Social Security numbers, medical record numbers
• Dates (birth, admission, discharge, death)
• Biometric identifiers (fingerprints, voice prints)
• Full-face photos and any comparable images
• Any other unique identifying number or characteristic

Requirement: PHI can only be used/disclosed for treatment, payment, healthcare operations—or with explicit patient authorization.

2. Security Rule - Technical Safeguards

Requires "addressable" and "required" security measures:

Required Specifications:

• Access Control: Unique user IDs, emergency access, automatic logoff, encryption
• Audit Controls: Record and examine access to ePHI
• Integrity Controls: Protect ePHI from improper alteration/destruction
• Transmission Security: Protect ePHI in transit (encryption required)

Addressable Specifications:

• Encryption/Decryption: Implement mechanism to encrypt/decrypt ePHI (strongly recommended)

HexBurn Compliance: ✓ AES-256 encryption exceeds HIPAA standards, ✓ Zero data retention, ✓ Automatic access controls

3. Breach Notification Rule

Notify affected individuals, HHS, and potentially media:

• Individual notification: Within 60 days of discovery
• HHS notification: Within 60 days (or annually for small breaches)
• Media notification: If breach affects 500+ individuals in a state/jurisdiction
• Business associate notification: To covered entity without unreasonable delay

Safe Harbor: Encrypted data is NOT considered breached if encryption key not compromised.

HexBurn Benefit: ✓ Encryption provides breach safe harbor, ✓ Zero-knowledge = unbreachable PHI

4. Business Associate Agreements (BAA)

Required contracts between covered entities and service providers:

• Define permitted uses of PHI by business associate
• Require appropriate safeguards to prevent misuse
• Require reporting of security incidents and breaches
• Require subcontractor BAAs if applicable
• Require return or destruction of PHI at contract termination

1. Security (Mandatory)

System is protected against unauthorized access:

• Access controls: Logical and physical access restrictions
• System operations: Monitoring, incident response, change management
• Mitigation of systems breach: Intrusion detection, vulnerability management

2. Availability (Optional)

System is available for operation and use:

• Performance monitoring: System capacity and performance
• Recovery procedures: Backup and disaster recovery capabilities
• Incident handling: Response to system failures

3. Processing Integrity (Optional)

System processing is complete, valid, accurate, timely, and authorized:

• Data quality: Inputs are complete and accurate
• Processing procedures: Outputs are accurate and complete

4. Confidentiality (Optional)

Confidential information is protected:

• Encryption: Data encrypted in transit and at rest
• Access controls: Need-to-know basis for confidential data
• Disposal: Secure deletion of confidential information

HexBurn Strength: ✓ AES-256 encryption, ✓ Zero-knowledge architecture, ✓ Automatic data deletion

5. Privacy (Optional)

Personal information is collected, used, retained, disclosed, and disposed per privacy notice:

• Notice and communication: Privacy notice provided to data subjects
• Choice and consent: Users can opt in/out
• Collection: Only necessary information collected
• Access: Users can access their personal information
• Disclosure to third parties: Only with consent or legal requirement