Security
Structured for enterprise review—not a marketing checklist.
Follicle Intelligence processes sensitive procedural and health-related data. Our posture is described in layers: principles, access, data handling, operations, and procurement—so your security and legal teams can map questions to answers without inflated compliance language on a public URL.
Principles
Security principles.
These orient how we build and operate—not a substitute for your control framework.
Least privilege by default
Access is granted to the minimum set of functions and data required for a role. Administrative and clinical review paths can be separated so governance policy is enforceable in the product, not only on paper.
Defense in depth
Encryption, access controls, and operational monitoring stack together. No single control is described as sufficient on its own—enterprise buyers should expect layered review.
Transparency in diligence
Specific frameworks (e.g. HIPAA, SOC 2, regional equivalents) are addressed with documentation appropriate to your deployment and contract—not with generic badges that bypass your security team’s questions.
Access control
Who can do what.
Access control is how policy becomes enforcement. FI supports tenant-scoped roles and authenticated API access—exact matrices are documented for your environment.
- Authenticated sessions for interactive use; API access via keys or negotiated schemes as defined per environment.
- Role-based access aligned to tenant policy—who may view cases, run scoring, approve reports, or administer users is configurable within agreed bounds.
- Audit logging of security-relevant access and administrative actions to support enterprise review (retention and export subject to contract).
Data handling
Encryption, storage, and boundaries.
Handling rules follow contract and deployment type. Where regional or dedicated storage is required, it is specified in agreement—not assumed from this summary.
In transit
Traffic is encrypted using TLS for client and service communication. Cipher suites and minimum versions are kept current as part of operational practice.
At rest
Stored data uses industry-standard encryption for sensitive payloads; secrets and credentials are not stored in plaintext in application configuration.
Boundaries and retention
Tenant isolation is a design requirement for multi-tenant deployment. Data retention, regional residency, and deletion timelines are set in contract and technical configuration—not implied by this page.
Enterprise review
Procurement and diligence.
Serious buyers should expect a structured vendor review. We align with that process rather than substituting a public page for it.
What we typically provide in procurement
Architecture summaries, data-flow descriptions, answers to security questionnaires where applicable, and under NDA: additional detail on controls, subprocessors, and incident response aligned to your template.
What we do not claim here
We do not list specific certification dates, report numbers, or universal HIPAA/SOC compliance on a public page—those assertions are deployment- and time-specific and belong in your vendor file after review.
Operations
Infrastructure and incident response.
Production operations complement preventive controls. Specific SLAs and escalation paths are contractual.
Contact
Route security and procurement questions through your normal vendor process. For initial outreach: hello@follicleintelligence.ai. Reference integration and licensing for technical and commercial context.
Follicle Intelligence™ connects HairAudit (surgical evidence and audit surface), Hair Longevity Institute (biology and longitudinal treatment intelligence), and IIOHR (methodology, training, standards, and governance alignment).