// Trust & Security Report

    K Health Inc. logo

    K Health Inc.

    AI-powered virtual primary care platform with symptom checker, telemedicine consultations, and clinical AI combining machine learning with 400M+ anonymized clinical notes to deliver personalized healthcare guidance and provider connections.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HIPAA Compliance
    HELD

    K Health is a GDPR-compliant health service governed by HIPAA and employs the 'safe harbor method' for de-identification of data.

    Verify on khealth.com
    GDPR Compliance
    HELD

    K Health is a GDPR-compliant health service governed by HIPAA and employs the 'safe harbor method' for de-identification of data.

    Verify on khealth.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence of SOC 2 Type 1 certification found on K Health's website or through web search.

    source: khealth.com
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 Type 2 certification found on K Health's website or through web search.

    source: khealth.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found despite industry standard for healthcare SaaS vendors.

    source: khealth.com
    HITRUST CSF Certification
    NOT CONFIRMED

    No public evidence of HITRUST certification found despite being industry-standard gold-standard for healthcare vendors (99.41% HITRUST-certified environments reported no data breaches in 2024).

    source: khealth.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence found.

    source: khealth.com
    ISO 27018 (Cloud Privacy)
    NOT CONFIRMED

    No public evidence found.

    source: khealth.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found. K Health uses AI extensively but no formal AI governance certification published.

    source: khealth.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found (likely not applicable as K Health does not handle direct payment card processing).

    source: khealth.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Multiple (uses Google Cloud with HIPAA-compliant infrastructure; specific regions not published)

    K Health uses 400M+ anonymized clinical notes from historical data for machine learning. No clear statement on whether current customer data is used for model training. Anonymization protocol removes personal identifying information (ID numbers, phone numbers, addresses, profession, country of origin). No explicit opt-out for customer data usage in training found.

    // Security controls

    Encryption in Transit

    TLS 1.2+ (encrypted transportation for all data transferred from app to K Health servers)

    khealth.com

    Encryption at Rest

    Data encrypted while stored in database servers

    khealth.com

    Identity Verification

    Biometric verification required (government-issued ID and selfie comparison for account security)

    khealth.com

    Vulnerability Monitoring

    Regularly monitors systems for possible vulnerabilities and attacks; third-party services engaged for enhancing security

    khealth.com

    Bug Bounty Program

    Active HackerOne bug bounty program to leverage security research community

    hackerone.com

    Data Deletion

    Accounts and all personally identifiable information can be deleted upon user request

    khealth.com

    Cloud Infrastructure

    HIPAA-compliant Google Cloud infrastructure using Kubernetes Engine and BigQuery for data processing

    doit.com

    // Products & data scope

    K Health App (Consumer)Telemedicine / Symptom Checker / Virtual Primary Care

    data: Personal health information, biometric data (ID and selfie), insurance information, medical history

    4M+ users, most downloaded medical app in US. Combines AI symptom checker with telemedicine consultations. Uses anonymized 400M+ clinical notes for ML. Requires biometric identity verification.

    K Health Enterprise/Health SystemsVirtual Primary Care Platform

    data: Same as consumer app; deployed through health systems

    Available through health systems; enables integration with existing clinical workflows

    K PharmacyPharmacy Services

    data: Prescription information, insurance data, health records

    Pharmacy integration component; subject to same privacy practices as main platform

    // What to watch

    • MISSING_INDUSTRY_STANDARD_CERTS: No SOC 2 Type I/II despite being critical for healthcare SaaS. No ISO 27001. No HITRUST CSF (gold standard in healthcare). These are concerning gaps for a company handling protected health information at scale (4M+ users).
    • DATA_SHARING_CONCERN: Privacy policy states K Health may have 'sold' or 'shared' personal information with advertising/marketing and analytics partners in the previous 12 months. This is problematic for a HIPAA-governed healthcare platform and contradicts privacy-first positioning.
    • NO_PUBLIC_TRUST_CENTER: Unlike peer healthcare vendors, K Health does not maintain a public trust center with detailed security documentation, compliance attestations, or third-party audit reports.
    • WEBSITE_BLOCKING: K Health's primary domain is behind Cloudflare anti-bot protection, preventing direct verification of security claims. Privacy policies are inaccessible via standard web fetch (HTTP 403).
    • AI_TRAINING_CLARITY_GAP: While historical data (400M+ anonymized notes) is clearly used for model training, the policy on current customer data usage is ambiguous. No explicit opt-out mechanism found.
    • GDPR_HIPAA_STATED_NOT_CERTIFIED: Compliance is stated in privacy policies but no formal audit reports or third-party certifications (like SOC 2 with applicable controls) publicly available to verify implementation.
    • BIOMETRIC_PRIVACY_RISK: Requires upload of government ID and facial imagery (selfie) for verification. Handling of biometric data and retention policies not clearly documented.
    • OVER_CLAIM_POTENTIAL: Marketing positions K Health as secure/compliant, but formal certifications (SOC 2, ISO 27001, HITRUST) expected for a $900M healthcare platform are absent from public record.

    // At a glance

    Pricing model

    Freemium (symptom checker free; premium consultations require payment or insurance; also available through enterprise health system agreements)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on K Health Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    khealth.com

    > Browse all vendor trust reports