Live Beta

Icosa is in live beta

Icosa is a holistic personality framework — not medical software. It does not diagnose, prescribe, or observe behavior. Each result describes only what a person’s structure currently supports: the building and the floor plan, not what happens inside. This beta is for practitioners, clinicians, and early‑adopter explorers, not for general clinical use.

The instrument has been rigorously validated against clinical standards, but the system is brand‑new and only beginning real‑world use. Final measurements, terms, and features stabilize by Summer 2026; the public release will be greatly simplified and built for safe, general use.

During this beta, HIPAA, GDPR, privacy policies, terms of service, and data stability are not enforced — everything is changing rapidly as the platform improves toward launch.

Thank you for being part of this new model and community.
Compliance

HIPAA Compliance

Last updated: May 23, 2026

Icosa, LLC ("Icosa") is committed to protecting the privacy and security of all data processed through our personality assessment platform. While personality assessment results are generally not classified as Protected Health Information (PHI) and the Icosa app is not medical software, we choose to honor and secure all user data to the same standards required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and their implementing regulations.

1. Our Commitment

Personality assessments, by themselves, are not generally considered PHI under HIPAA, and Icosa is not a covered entity, healthcare provider, or medical device manufacturer. Even so, we voluntarily apply HIPAA-grade standards to all assessment data. We believe that personality assessment data—which reveals intimate details of an individual's psychological structure—deserves the highest standard of protection. Every user benefits from these safeguards, regardless of whether their assessment is administered through a healthcare provider.

2. Business Associate Agreements

Beta notice: Icosa does not currently offer Business Associate Agreements (BAAs). Do not transmit actual Protected Health Information through the platform. Users should treat the service as a consumer personality assessment tool, not a clinical system of record.

Icosa is not a HIPAA covered entity. Personality assessment data, on its own, is generally not classified as PHI. We apply HIPAA-grade safeguards to all assessment data as a matter of policy, but we are not entering into BAAs at this stage of the product.

3. Data We Protect

Icosa applies the safeguards described below to:

  • Assessment responses and computed personality profiles
  • Narrative interpretations generated from assessment data
  • Longitudinal assessment history and developmental tracking data
  • Dyadic (couples) assessment data, including relational compatibility analyses
  • Any data linked to an identifiable individual that is created, received, maintained, or transmitted by Icosa in connection with assessment services

4. Technical Safeguards

Encryption

  • Data at rest: Sensitive fields stored in our database are encrypted with AES-256 authenticated encryption
  • Data in transit: All communications between clients and servers run over TLS 1.2 or higher
  • Encryption keys: Managed through a key provider abstraction with rotation support and a per-key versioning registry

Access Controls

  • Role-based access control (RBAC): System access is limited to the minimum necessary for each user role (consumer, practitioner, administrator)
  • Unique user identification: Every user has a unique identifier; no shared accounts are permitted
  • Automatic session termination: Inactive sessions are terminated after a defined period
  • Authentication: Passwordless authentication via single-use magic links, eliminating password-related vulnerabilities

Audit Controls

  • Access to sensitive data is logged with timestamps, user identifiers, and action descriptions
  • Audit logs are retained for 7 years
  • HMAC-chained integrity verification detects tampering of audit log entries

Transmission Security

  • All API endpoints enforce HTTPS; unencrypted HTTP connections are rejected
  • All mobile application network requests enforce HTTPS with certificate validation
  • Strict Content Security Policies prevent data exfiltration

5. Operational Safeguards

  • Incident response: A documented process for triaging, containing, and disclosing security incidents
  • Risk review: Periodic review of threats to user data, with mitigations tracked in our security backlog
  • Access discipline: Production data access is limited, logged, and reviewed; service credentials are scoped and rotatable
  • Continuity: Database backups and recovery procedures protect against data loss

6. Infrastructure and Sub-processors

Icosa runs on the following infrastructure sub-processors, each of which maintains its own physical and platform-level security controls (SOC 2 Type II or equivalent). Icosa does not directly operate physical data centers.

  • Cloudflare — edge routing, TLS termination, DDoS protection, rate limiting, and Turnstile bot protection on public forms
  • Render — application hosting
  • Neon — managed database
  • Amazon Web Services — transactional email (SES) for authentication and notification messages

The following providers process assessment-related data outside of our direct infrastructure as part of the narrative-generation and research workflows. They are bound by data processing agreements (or equivalent contractual safeguards) and are prohibited by their commercial terms from using customer inputs or outputs to train their foundation models:

  • Anthropic (Claude) — receives your numerical personality profile and structural features to generate the personalized narrative interpretation. Directly identifying data (name, email) is not sent; profiles are referenced by an opaque token.
  • OpenAI — generates text embeddings for practitioner-facing client search and internal research workflows. Individual assessment responses are not sent to OpenAI.

Product analytics (PostHog, hosted in the European Union) and payments (Stripe) are additional sub-processors that do not receive assessment content. PostHog receives anonymized event names and a post-signin user ID; Stripe receives billing data for paid subscriptions only.

The complete sub-processor list, with data categories, regions, and transfer mechanisms, is published at /sub-processors.

7. Breach Notification

In the event of a security breach affecting user data, Icosa will:

  • Notify affected users without unreasonable delay, and in no case later than 60 calendar days after discovery
  • Provide a description of the incident, the data involved, and steps users can take to protect themselves
  • Provide contact information for follow-up inquiries

8. De-Identification

When Icosa uses assessment data for research or service improvement, we apply de-identification methods consistent with the HIPAA Safe Harbor standard. De-identified data has the 18 categories of identifiers removed and cannot reasonably be used to identify an individual.

9. Minimum Necessary

Access to user data is limited to the minimum needed for the task at hand. This applies to internal access, third-party subprocessors, and any data shared through the platform.

10. Data Retention

Icosa retains assessment records for up to 7 years from the date of assessment. Audit logs are retained for the same period. Earlier deletion is exercised through the self-service Delete My Account control in your account (see Privacy Policy §8). Destruction is automated and uses methods that prevent recovery.

11. Your Data Rights

Regardless of HIPAA's strict applicability, Icosa honors the following user rights through self-service controls in your account (see Privacy Policy §8):

  • Access and export of your assessment data
  • Correction of inaccurate account data
  • Deletion of your account and associated data
  • Withdrawal of consent for optional processing

12. Contact

For security or compliance inquiries, contact us at:

Icosa, LLC — Compliance
8 The Green, Suite A, Dover, DE 19901
Email: compliance@icosa.org

Related Policies

See also our Privacy Policy, Terms of Service, GDPR Compliance, and Sub-processors pages.