Kingdom Automations Kingdom Automations

Security & Compliance

How we handle HIPAA/PII data, secure integrations, and deliver compliant automation systems.

Last updated:

1. Scope & Roles

This page describes how Kingdom Automations (“we/us”) designs and implements compliant automation systems. Depending on the engagement, we may act as:

  • Service provider / processor for personal data we handle under your instructions.
  • Independent controller for our own site analytics and business operations. See our Privacy Policy.

2. Frameworks & Standards

  • HIPAA-aligned design for PHI flows (minimum necessary, access control, audit logging).
  • CPRA/GDPR principles for PII (lawful basis, purpose limitation, data minimization, retention limits).
  • Industry practices mapped to NIST CSF / CIS Controls for security hardening.

3. Data Types We May Handle

  • PHI/PII supplied by your staff or systems (e.g., patient intake, legal intake).
  • Operational data (task states, timestamps, workflow metrics).
  • Configuration data (API keys stored in your secure environment).

We avoid storing production data in our systems unless strictly required by the Order.

4. Security Controls (Overview)

Access Control

  • Least-privilege and role-based access to client assets.
  • MFA enforced on admin tools; credential rotation on role changes.
  • API keys/secrets stored in client-managed vaults or environment variables.

Data Protection

  • TLS 1.2+ in transit; AES-256 (or provider standard) at rest.
  • Data minimization; pseudonymization where feasible.
  • Redaction for logs and error traces.

Monitoring & Logging

  • Change tracking for workflow automations.
  • Audit logs for privileged actions where supported.
  • Alerting on failures and unusual spikes.

Business Continuity

  • Provider-level backups per vendor policy.
  • Version-controlled infrastructure-as-config for automations.
  • Runbooks and rollback procedures for critical flows.

Environment Separation

We recommend strict separation of dev / staging / prod, with masked data in non-prod and restricted deploy permissions.

5. Subprocessors & Vendors

We use reputable infrastructure and SaaS vendors. Specific tools vary by project and are documented in the Order/SOW. Typical categories include:

  • Hosting (cloud platforms), databases, storage.
  • Automation/orchestration tools (e.g., n8n, workflow engines).
  • Email/SMS delivery, form capture, identity/SSO.
  • Analytics and error monitoring (with redacted data).

We can provide a current vendor list for your deployment upon request.

6. BAA / DPA

  • We’ll sign a Business Associate Agreement (BAA) when a project involves PHI.
  • We’ll sign a Data Processing Addendum (DPA) for GDPR/CPRA-covered processing.
  • We prefer client-standard forms; otherwise we can provide templates.

7. Data Retention & Deletion

We keep only the minimum data needed to deliver the Services. Upon request or project end, we assist with export and deletion from automation components under our control, except where retention is required by law or for legitimate business records (invoices, contracts).

8. Incident Response

  • We triage security events, contain impact, and coordinate with affected clients.
  • Where required, we assist with regulatory notifications and post-mortems.
  • We implement corrective actions and update runbooks accordingly.

9. Access, Correction, Deletion Requests

For site data, see our Privacy Policy. For project data where we act as processor, we will support your responses to data subject requests, subject to verification and applicable law.

10. Shared Responsibility

You manage

  • User provisioning, SSO/2FA, and role assignments in your tools.
  • Approval of vendors and storage locations (e.g., region/data residency).
  • Content and lawfulness of data provided to automations.
  • Operational reviews of outputs before use with customers/patients/clients.

We manage

  • Designing least-privilege workflows and secure integrations.
  • Documenting data flows and controls in the build plan.
  • Change management for automations we maintain under retainer.

11. Audit & Security Reviews

We participate in reasonable security questionnaires and provide architecture diagrams/runbooks relevant to your deployment. For deeper assessments, we’ll coordinate scope, confidentiality, and reasonable fees.

12. Contact

Compliance questions: charles@kingdomautomations.tech

Cookie choices: Open Cookie Preferences