// Trust & Security Report
K Health Inc.
AI-powered virtual primary care platform with symptom checker, telemedicine consultations, and clinical AI combining machine learning with 400M+ anonymized clinical notes to deliver personalized healthcare guidance and provider connections.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on khealth.com“K Health is a GDPR-compliant health service governed by HIPAA and employs the 'safe harbor method' for de-identification of data.”
Verify on khealth.com“K Health is a GDPR-compliant health service governed by HIPAA and employs the 'safe harbor method' for de-identification of data.”
> Show 8 unconfirmed / not-held certifications
source: khealth.comNo public evidence of SOC 2 Type 1 certification found on K Health's website or through web search.
source: khealth.comNo public evidence of SOC 2 Type 2 certification found on K Health's website or through web search.
source: khealth.comNo public evidence of ISO 27001 certification found despite industry standard for healthcare SaaS vendors.
source: khealth.comNo public evidence of HITRUST certification found despite being industry-standard gold-standard for healthcare vendors (99.41% HITRUST-certified environments reported no data breaches in 2024).
source: khealth.comNo public evidence found. K Health uses AI extensively but no formal AI governance certification published.
source: khealth.comNo public evidence found (likely not applicable as K Health does not handle direct payment card processing).
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Multiple (uses Google Cloud with HIPAA-compliant infrastructure; specific regions not published)
K Health uses 400M+ anonymized clinical notes from historical data for machine learning. No clear statement on whether current customer data is used for model training. Anonymization protocol removes personal identifying information (ID numbers, phone numbers, addresses, profession, country of origin). No explicit opt-out for customer data usage in training found.
// Security controls
Encryption in Transit
TLS 1.2+ (encrypted transportation for all data transferred from app to K Health servers)
khealth.comIdentity Verification
Biometric verification required (government-issued ID and selfie comparison for account security)
khealth.comVulnerability Monitoring
Regularly monitors systems for possible vulnerabilities and attacks; third-party services engaged for enhancing security
khealth.comBug Bounty Program
Active HackerOne bug bounty program to leverage security research community
hackerone.comData Deletion
Accounts and all personally identifiable information can be deleted upon user request
khealth.comCloud Infrastructure
HIPAA-compliant Google Cloud infrastructure using Kubernetes Engine and BigQuery for data processing
doit.com// Products & data scope
data: Personal health information, biometric data (ID and selfie), insurance information, medical history
4M+ users, most downloaded medical app in US. Combines AI symptom checker with telemedicine consultations. Uses anonymized 400M+ clinical notes for ML. Requires biometric identity verification.
data: Same as consumer app; deployed through health systems
Available through health systems; enables integration with existing clinical workflows
data: Prescription information, insurance data, health records
Pharmacy integration component; subject to same privacy practices as main platform
// What to watch
- MISSING_INDUSTRY_STANDARD_CERTS: No SOC 2 Type I/II despite being critical for healthcare SaaS. No ISO 27001. No HITRUST CSF (gold standard in healthcare). These are concerning gaps for a company handling protected health information at scale (4M+ users).
- DATA_SHARING_CONCERN: Privacy policy states K Health may have 'sold' or 'shared' personal information with advertising/marketing and analytics partners in the previous 12 months. This is problematic for a HIPAA-governed healthcare platform and contradicts privacy-first positioning.
- NO_PUBLIC_TRUST_CENTER: Unlike peer healthcare vendors, K Health does not maintain a public trust center with detailed security documentation, compliance attestations, or third-party audit reports.
- WEBSITE_BLOCKING: K Health's primary domain is behind Cloudflare anti-bot protection, preventing direct verification of security claims. Privacy policies are inaccessible via standard web fetch (HTTP 403).
- AI_TRAINING_CLARITY_GAP: While historical data (400M+ anonymized notes) is clearly used for model training, the policy on current customer data usage is ambiguous. No explicit opt-out mechanism found.
- GDPR_HIPAA_STATED_NOT_CERTIFIED: Compliance is stated in privacy policies but no formal audit reports or third-party certifications (like SOC 2 with applicable controls) publicly available to verify implementation.
- BIOMETRIC_PRIVACY_RISK: Requires upload of government ID and facial imagery (selfie) for verification. Handling of biometric data and retention policies not clearly documented.
- OVER_CLAIM_POTENTIAL: Marketing positions K Health as secure/compliant, but formal certifications (SOC 2, ISO 27001, HITRUST) expected for a $900M healthcare platform are absent from public record.
// At a glance
Pricing model
Freemium (symptom checker free; premium consultations require payment or insurance; also available through enterprise health system agreements)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on K Health Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
khealth.com