Assurna — The Longevity Intelligence Platform

1. Overview

ASSURNA, Inc. ("ASSURNA," "we," "us," or "our") is committed to maintaining the highest standards of privacy and security for Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and their implementing regulations (collectively, the "HIPAA Rules").

This HIPAA Compliance Statement describes how we protect your health information, the safeguards we have implemented, and your rights regarding your PHI when using our longevity intelligence platform and related services.

2. Our Compliance Posture

ASSURNA is a direct-to-consumer longevity intelligence platform. Depending on the nature of our relationship with you and the data involved, ASSURNA may operate in one or more of the following capacities:

As a Business Associate

When we process, store, or analyze PHI on behalf of or at the direction of a HIPAA-covered entity (such as a healthcare provider, health plan, or healthcare clearinghouse). In these relationships, we execute Business Associate Agreements (BAAs) that define our obligations under the HIPAA Rules.

As a Direct Service Provider

When you engage ASSURNA directly as an individual member. In this capacity, certain HIPAA requirements may not technically apply to the data you provide to us. However, ASSURNA voluntarily applies HIPAA-grade administrative, physical, and technical safeguards to all health data on our platform, regardless of whether the data is classified as PHI under the HIPAA Rules.

Our Philosophy

We adopt this approach because we believe every individual — not only those whose data falls under a covered entity relationship — deserves the gold standard of health data protection.

3. Health Information We Protect

Whether or not your data is formally classified as PHI under HIPAA, ASSURNA applies the same protections to all health-related information on our platform. This includes:

Health Data

• Lab results, blood panels, and biomarker data
• Epigenetic and biological age assessments
• Wearable device data (heart rate, HRV, sleep, activity)
• Medical records and history
• Supplement and protocol information
• Genetic and genomic data
• Diagnosis, treatment, and prescription information

Personal Identifiers

• Name and contact information
• Date of birth
• Medical record or health plan numbers
• Biometric identifiers
• Account credentials

Minimum Necessary Standard

We apply the HIPAA minimum necessary standard to all health information on our platform. This means we access, use, and disclose only the minimum amount of health data necessary to accomplish the intended purpose — whether that is generating your longevity analysis, processing a request, or fulfilling a legal obligation.

4. Security Safeguards

We implement comprehensive administrative, physical, and technical safeguards aligned with the HIPAA Security Rule to protect your health information.

Administrative Safeguards

Designated Privacy and Security Officer
Written security policies and procedures
Risk assessments and risk management
Sanction policies for non-compliance
Contingency and disaster recovery planning
HIPAA privacy and security training for all team members

Physical Safeguards

Infrastructure hosted in SOC 2 Type II certified data centers
Physical access controls at all hosting facilities
24/7 environmental and security monitoring
Workstation and endpoint security policies
Device and media disposal controls

Technical Safeguards

Unique user identification and authentication
Role-based access control (RBAC)
Automatic session termination
Audit controls and comprehensive activity logging
Data integrity controls

Access Controls

Multi-factor authentication (MFA) required for all health data access
Principle of least privilege enforced
Regular access reviews and privilege audits
Immediate access revocation upon role change or departure
Comprehensive audit trails for all data access events

5. Encryption Standards

All health information is encrypted using industry-leading standards that meet or exceed HIPAA requirements.

Data at Rest

• AES-256 encryption for all stored health data
• Encrypted database storage
• Encrypted backup systems
• Cloud-provider-managed key management with hardware-backed protection

Data in Transit

• TLS 1.3 for all data transmission
• Secure API endpoints exclusively (HTTPS only)
• VPN or equivalent secure channel for administrative access
• No unencrypted transmission under any circumstances

6. Business Associates & Subcontractors

We carefully evaluate all third-party service providers and subcontractors who may process, store, or have access to health information on our platform. Before any health data is shared with a third party, we require:

Business Associate Agreements (BAAs) — signed and executed before any health data is disclosed, obligating the third party to protect health information in accordance with the HIPAA Rules.
Security evaluation — verification that the third party maintains appropriate administrative, physical, and technical safeguards. We prioritize partners who hold independent security certifications (such as SOC 2 Type II or equivalent).
Ongoing compliance — contractual requirements for incident reporting, breach notification, and periodic security assessments.
Minimum necessary access — third parties receive access only to the specific data required to perform their contracted services, and nothing more.

7. Breach Notification

In the event of a breach of unsecured health information, ASSURNA follows the breach notification requirements established by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and the HITECH Act. Our breach response process includes:

Breach Response Timeline

Immediate:Discovery & containment measures, incident response team assembly, thorough investigation
Without Delay:Covered entity notification (as Business Associate) within BAA timeframe (typically 30 days)
Within 60 Days:Individual notification in writing with breach description, information types, steps to take, and remedial measures
Within 60 Days:HHS notification (concurrent with individual notification if 500+ affected; annual report for smaller breaches)
If 500+ in State:Media notification to prominent outlets in the affected state or jurisdiction

Regardless of scale, every suspected breach is investigated, documented, and used to improve our security posture.

8. Your Rights

ASSURNA supports and facilitates the following rights with respect to your health information. Where your data is classified as PHI under HIPAA, these rights are legally guaranteed. For all other health data on our platform, we voluntarily extend equivalent rights as a matter of principle.

Right to Access

You may inspect and obtain a copy of the health information we maintain about you. We fulfill access requests within 30 days (with a possible 30-day extension with notice).

Right to Amendment

You may request that we amend health information you believe to be inaccurate or incomplete. We respond to amendment requests within 60 days.

Right to an Accounting of Disclosures

You may request an accounting of certain disclosures of your health information made by ASSURNA during the six (6) years prior to your request.

Right to Request Restrictions

You may request restrictions on certain uses and disclosures of your health information. We will accommodate reasonable requests and inform you if we are unable to agree.

Right to Confidential Communications

You may request that we communicate with you about your health information using alternative means or at alternative locations.

Right to Data Portability

You may request that we provide your health information in a structured, commonly used, and machine-readable format to facilitate transfer to another service provider.

Right to Revoke Authorization

Where you have provided written authorization for a specific use or disclosure, you may revoke that authorization at any time (except to the extent we have already acted in reliance on it).

9. Workforce Training

All ASSURNA team members complete HIPAA privacy and security training and are required to maintain current knowledge of compliance requirements. Our training program includes:

HIPAA Privacy Rule and Security Rule training during onboarding — completed before any access to health information is granted
Ongoing education on evolving privacy and security threats, including phishing, social engineering, and data handling best practices
Training on our incident response and breach reporting procedures
Documentation of all training completion and acknowledgments

As our team grows, we will continue to scale our training program to include annual refresher assessments and role-specific education for team members with elevated data access.

10. Audits, Assessments & Compliance Roadmap

ASSURNA maintains an ongoing program of internal assessment and external validation to ensure the effectiveness of our privacy and security safeguards.

Current Practices

Periodic internal risk assessments aligned with HIPAA Security Rule requirements (45 CFR § 164.308(a)(1))
Continuous vulnerability scanning and monitoring of our infrastructure
Regular review and update of security policies and procedures
Audit log monitoring for all health data access and system events
HIPAA compliance program management through Accountable, a recognized HIPAA compliance platform

Infrastructure Security

ASSURNA's platform is hosted on cloud infrastructure that independently maintains SOC 2 Type II attestation and supports HIPAA-compliant workloads under a signed BAA. We leverage our cloud provider's certified physical security, environmental controls, and infrastructure-level encryption while implementing our own application-level security controls on top of that foundation.

Compliance Roadmap

As ASSURNA grows, we are committed to pursuing additional independent security validations, including third-party HIPAA compliance assessments, SOC 2 Type II attestation for our own operations, and evaluation of HITRUST CSF certification. We will update this page as these milestones are achieved.

11. Permitted Uses and Disclosures

ASSURNA uses and discloses health information only in the following circumstances:

To provide services to you — generating longevity analyses, biomarker reports, health protocols, and personalized recommendations.
At your direction — when you explicitly authorize us to share your information with a healthcare provider, family member, or other designated party.
For platform operations — internal quality improvement, security monitoring, and service optimization, using de-identified or aggregated data where possible.
As required by law — in response to a court order, subpoena, or other legal process, or as otherwise required by applicable federal or state law.
For public health and safety — in limited circumstances required by law, such as reporting to public health authorities or preventing an imminent threat to health or safety.

Our Commitment

We do not use or disclose your health information for marketing purposes, nor do we sell your health information under any circumstances. For more information, see our Do Not Sell or Share My Personal Information page.

12. Contact Information

If you have questions about our HIPAA compliance program, wish to exercise any of your rights regarding your health information, or need to report a potential security concern, please contact our Privacy Officer:

HIPAA Privacy Officer

ASSURNA, Inc.

Attn: Privacy Officer

Email: privacy@assurna.com

Mailing Address: 100 Park Ave, New York, NY 10017

Report a Security Concern

If you believe there has been a breach of your health information, or if you have identified a potential security vulnerability on our platform, please contact us immediately at security@assurna.com. We take every report seriously and will respond promptly.

Review Cycle: This statement is reviewed and updated at least annually, or as significant changes are made to our platform or compliance posture.