Our Approach to Data Protection
Kornify is built with privacy-by-design. Patient and clinic data protection is embedded in the platform architecture from the ground up, not added as a separate feature. We comply with Regulation (EU) 2016/679 (GDPR) and can demonstrate this through documentation.
Where Data Is Stored
Our entire database is hosted on Supabase servers in Frankfurt (Germany, EU). Clinic and patient data does not leave the European Union. Supabase holds SOC 2 Type 2 certification and has a signed DPA in accordance with GDPR requirements.
Encryption
Data at rest is protected with AES-256 encryption. All client-server connections are secured with TLS. Passwords are stored in hashed form (scrypt) and are never transmitted in plain text.
Clinic Data Isolation
Each clinic has a unique identifier (clinic_id). One clinic's data is isolated from another's. Database-level access controls ensure no user can access another clinic's data. Role-based access (owner, administrator, doctor) restricts access within each clinic.
Voice AI and Privacy
The voice AI assistant operates through Retell AI. We have configured the system so that call recordings are not stored on Retell AI servers — they are automatically deleted within 10 minutes after processing. Data transfer to the US is carried out under EU Standard Contractual Clauses (SCCs). Retell AI holds SOC 2 Type 1 and Type 2 certifications.
Sub-processors
Supabase Inc. — database hosting, Frankfurt, Germany (EU), DPA signed. Retell AI Inc. — voice AI assistant, USA, SCCs signed, recordings deleted within 10 minutes. Resend Inc. — email delivery, DPA signed. We notify clinics 30 days before changing sub-processors.
Data Subject Rights
We support all GDPR rights: right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21). The clinic as data controller can submit a request, and we will fulfill it within 30 days.
Data Deletion
A clinic may request complete deletion of all its data at any time. We fulfill deletion requests within 48 hours. Upon contract termination, data is retained for 90 days for export, then permanently deleted.
Breach Notification
In the event of a data security breach, we notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and the clinic within 48 hours. If the breach poses a high risk to patient rights, we also notify the data subjects (Art. 34 GDPR).
Data Processing Agreement (DPA)
Every clinic using Kornify has a DPA in accordance with Art. 28 GDPR. The DPA defines: categories of data processed; technical and organizational security measures; rules for engaging sub-processors; data deletion procedures. To obtain a copy of the DPA, contact hello@kornify.ai.
Contact
For data protection and GDPR inquiries: hello@kornify.ai