Skip to Content

Data Protection Policy

1. Purpose and Scope2. Definition3. Data Protection Principles4. Data Categories and Sensitivity Levels5. Lawful Basis for Processing6. Roles and Responsibilities7. Security Measures7.1 Technical Safeguards7.2 Administrative Safeguards7.3 Physical Safeguards8. Data Breach Response9. Third-Party Data Processing10. Data Subject Rights11. Data Retention and Disposal12. Training and Awareness13. Compliance Roadmap14. Governance and Review15. ContactTalos Health Corp — Privacy Office

TH-DPP-001 · INTERNAL / COMPLIANCE

Document IDTH-DPP-001
Version1.0
Effective DateApril 2026
OwnerPrivacy Officer, Talos Health Corp
ClassificationInternal / Compliance
Review CycleAnnual (or upon material change)
Applicable StandardsHIPAA, CCPA/CPRA, SOC 2, PIPEDA (future), GDPR (future)


1. Purpose and Scope

This Data Protection Policy establishes the principles, standards, and responsibilities governing the collection, processing, storage, and disposal of personal data by Talos Health Corp and its subsidiaries. This policy applies to all employees, contractors, consultants, and third-party service providers who access, process, or manage personal data on behalf of Talos Health.

This policy covers all personal data processed through the Rezilia platform (rezilia.app), corporate operations, Talos Analytics (B2B data products), and any integrations with employers, hospitals, healthcare systems, and community partners.

2. Definition

  • Personal Data: Any information relating to an identified or identifiable natural person, including name, email, device identifiers, IP address, and behavioral data.
  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form, as defined under HIPAA.
  • Data Subject: An individual whose personal data is collected or processed (e.g., caregivers, care recipients, employees).
  • Data Controller: The entity that determines the purposes and means of processing personal data. Talos Health acts as a Data Controller for direct-to-consumer users.
  • Data Processor: An entity that processes personal data on behalf of a Data Controller. Talos Health may act as a Data Processor when providing services to employer or hospital clients.
  • Business Associate: Under HIPAA, an entity that performs functions or activities involving PHI on behalf of a Covered Entity.
  • De-Identified Data: Data that has been stripped of identifiers such that it cannot reasonably be used to identify an individual, in accordance with HIPAA de-identification standards (Safe Harbor or Expert Determination).

3. Data Protection Principles

All processing of personal data must adhere to the following principles:

  • Lawfulness and Transparency: Data is processed lawfully, fairly, and in a transparent manner. Data subjects are informed of how their data is used.
  • Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data Minimization: Only data that is necessary for the specified purpose is collected and processed.
  • Accuracy: Personal data is kept accurate and up to date. Reasonable steps are taken to correct or delete inaccurate data promptly.
  • Storage Limitation: Data is retained only as long as necessary for the purposes for which it was collected, subject to legal retention requirements.
  • Integrity and Confidentiality: Data is processed with appropriate security measures to protect against unauthorized access, loss, destruction, or damage.
  • Accountability: Talos Health is responsible for demonstrating compliance with these principles.


4. Data Categories and Sensitivity Levels

Talos Health classifies data into sensitivity levels to apply appropriate protection measures. Higher sensitivity levels require stricter access controls, encryption standards, and audit requirements.

  • Critical (Level 4): Protected Health Information (PHI), authentication credentials, encryption keys, and Business Associate Agreement data. Requires encryption at rest and in transit, MFA, and full audit logging.
  • High (Level 3): Personally Identifiable Information (PII) including names, emails, phone numbers, and caregiver conversational data. Requires encryption, role-based access controls, and audit logging.
  • Medium (Level 2): De-identified behavioral analytics, aggregated Talos Analytics reports, and platform usage metrics. Requires access controls and standard security measures.
  • Low (Level 1): Public-facing marketing content, published resources, and general platform documentation. Standard handling procedures apply.

5. Lawful Basis for Processing

Talos Health processes personal data under the following legal bases, depending on the context and jurisdiction:

  • Consent: Where required by law (e.g., for certain cookie types, marketing communications, and processing of sensitive health data outside of HIPAA-covered activities).
  • Contractual Necessity: Processing necessary to deliver the Rezilia platform services as agreed with the user, employer, or healthcare partner.
  • Legal Obligation: Processing required to comply with HIPAA, CCPA/CPRA, state breach notification laws, and other regulatory requirements.
  • Legitimate Interest: Processing necessary for platform improvement, security, fraud prevention, and aggregated research, where such interests are not overridden by the data subject’s rights.

6. Roles and Responsibilities

  • Privacy Officer: Oversees compliance with this policy, manages data subject requests, leads breach response, and coordinates with legal counsel. Reports to the CTIO.
  • CTIO (Chief Technology & Innovation Officer): Ensures technical infrastructure and engineering practices align with data protection requirements.
  • Director of Engineering: Implements technical safeguards, manages access controls, and conducts security reviews.
  • All Employees and Contractors: Must complete data protection training, report suspected breaches immediately, and handle data in accordance with this policy.
  • Third-Party Service Providers: Must execute appropriate data processing agreements (DPAs) or Business Associate Agreements (BAAs) before accessing any personal data.


7. Security Measures

7.1 Technical Safeguards

  • Encryption at rest (AES-256) and in transit (TLS 1.2+) for all personal data and PHI.
  • Azure Hub-Spoke Landing Zone architecture with network segmentation across US East and US West regions.
  • Role-based access controls (RBAC) with least-privilege principles enforced via Azure Active Directory.
  • Multi-factor authentication (MFA) required for all administrative and privileged access.
  • Automated vulnerability scanning and patch management.
  • Comprehensive audit logging via Azure Monitor and Log Analytics, with minimum 90-day retention for security events.
  • Web Application Firewall (WAF) and DDoS protection on all public-facing endpoints.

7.2 Administrative Safeguards

  • Documented access provisioning and de-provisioning procedures.
  • Background verification for all team members with access to PHI or PII.
  • Annual security awareness training for all personnel.
  • Documented incident response plan with defined escalation procedures.
  • Regular risk assessments (minimum annually).

7.3 Physical Safeguards

  • Cloud-first infrastructure eliminates on-premise data center risks. Microsoft Azure data centers maintain SOC 2 Type II, ISO 27001, and HIPAA compliance certifications.
  • Endpoint protection required on all devices that access Talos Health systems.
  • Mobile device management (MDM) policies enforced for any device accessing PHI.

8. Data Breach Response

In the event of a suspected or confirmed data breach, Talos Health follows a structured response process:

  • Detection and Containment (0–24 hours): Identify the scope, contain the breach, preserve evidence, and notify the Privacy Officer and CTIO immediately.
  • Assessment (24–72 hours): Determine what data was affected, the number of individuals impacted, and the risk of harm. Engage legal counsel as needed.
  • Notification (as required by law): For HIPAA breaches affecting 500+ individuals, notify HHS within 60 days and affected individuals without unreasonable delay. For breaches affecting fewer than 500 individuals, log and report annually to HHS. For CCPA-covered data, notify affected California residents as required. For state breach notification laws, comply with the notification requirements of each affected jurisdiction.
  • Remediation: Implement corrective actions, update security measures, document lessons learned, and update this policy as needed.


9. Third-Party Data Processing

All third-party service providers that access, process, or store personal data on behalf of Talos Health must:

  • Execute a Data Processing Agreement (DPA) or Business Associate Agreement (BAA) before any data is shared.
  • Demonstrate adequate security measures (e.g., SOC 2 certification, ISO 27001, or equivalent).
  • Agree to data breach notification obligations consistent with this policy.
  • Process data only for the purposes specified in the agreement.
  • Delete or return all data upon termination of the relationship.

Current key sub-processors: Microsoft Azure (cloud infrastructure, US regions), Anthropic (AI model services, subject to BAA), Stripe (payment processing).


10. Data Subject Rights

Talos Health respects and facilitates the exercise of data subject rights as required by applicable law:

  • Right of Access: Individuals may request a copy of their personal data held by Talos Health.
  • Right to Rectification: Individuals may request correction of inaccurate or incomplete data.
  • Right to Deletion: Individuals may request deletion of their personal data, subject to legal retention requirements (e.g., HIPAA 6-year minimum for PHI-related records).
  • Right to Portability: Where technically feasible, individuals may request their data in a structured, machine-readable format.
  • Right to Opt Out: California residents may opt out of the sale or sharing of personal information. Note: Talos Health does not sell personal data.
  • HIPAA Rights: Individuals with PHI may request access, amendments, accounting of disclosures, and restrictions, as administered through the applicable Covered Entity.

All data subject requests are processed within 30 days (or 45 days with notice if an extension is needed). Requests should be directed to privacy@taloshealth.ai.


11. Data Retention and Disposal

  • Active User Data: Retained for the duration of the active account plus 30 days post-deletion.
  • HIPAA-Covered Records: Minimum 6 years from creation or last effective date.
  • Compliance and Audit Logs: Minimum 3 years (or as required by applicable certification standards).
  • De-Identified Analytics: May be retained indefinitely as it poses no privacy risk.
  • Backup Data: Retained per Azure backup policies; encrypted and access-restricted.

Data disposal follows NIST SP 800-88 guidelines for media sanitization. Logical deletion is applied with verification that data is no longer retrievable from production systems.


12. Training and Awareness

  • All personnel complete data protection and HIPAA awareness training within 30 days of onboarding.
  • Annual refresher training is mandatory for all team members.
  • Role-specific training is provided for personnel with access to PHI, PII, or administrative systems.
  • Training completion is tracked and documented for compliance audit

13. Compliance Roadmap

Talos Health is building its compliance posture progressively, aligned with business growth and regulatory requirements across jurisdictions.

  • Current (Q2 2026): HIPAA compliance (administrative, technical, and physical safeguards, BAA framework, breach notification procedures).
  • Q4 2026: SOC 2 Type I certification (Trust Service Criteria: Security, Availability, Confidentiality).
  • 2027: PIPEDA and Quebec Loi 25 compliance for Canadian operations; GDPR readiness assessment for European expansion.
  • 2027–2028: ISO 27001 certification; SOC 2 Type II audit.
  • All personnel complete data protection and HIPAA awareness training within 30 days of onboarding.
  • Annual refresher training is mandatory for all team members.
  • Role-specific training is provided for personnel with access to PHI, PII, or administrative systems.
  • Training completion is tracked and documented for compliance audit

14. Governance and Review

This policy is reviewed annually by the Privacy Officer in coordination with the CTIO and legal counsel. Ad hoc reviews are triggered by material changes in applicable laws or regulations, data breaches or significant security incidents, new product features or data processing activities, changes to third-party service providers, and results of internal or external audits.

All policy changes are versioned, dated, and communicated to relevant personnel within 15 business days of approval.


15. Contact

For questions about this policy or to report a data protection concern:

Talos Health Corp — Privacy Office

UCF Business Incubator, Orlando, Florida
1055 AAA Drive, Suite 113
Heathrow FL 32746

Email: privacy@taloshealth.ai
Web: www.taloshealth.com