Regulatory Compliance

HIPAA 🇺🇸

The Genius Scan SDK is designed to operate entirely within the end-user’s device. We do not host, view, transmit, or store any data processed by the SDK.

This architecture enables developers to fully comply with the Health Insurance Portability and Accountability Act (HIPAA).

Because we do not have access to Protected Health Information (PHI), we do not act as a Business Associate under HIPAA regulations (45 CFR § 160.103). Consequently, a Business Associate Agreement (BAA) is not required (see Department of Health & Human Services FAQ 256).

Integrator Responsibilities

To ensure your application complies with HIPAA while using the SDK, you must implement the following safeguards:

• Access Control: Ensure the application environment is secure and access is restricted to authorized users.
• Encryption: Encrypt any PHI stored on the device or transmitted to your backend servers.
• Data Cleanup: The SDK outputs scan results to temporary files on the device. You must programmatically erase these files immediately after handing them over to your host application or uploading them to your secure backend. The SDK does not automatically purge these files (to allow for potential retries), so manual cleanup is essential to prevent unintended retention of PHI.

GDPR 🇪🇺

The Genius Scan SDK is engineered with a “Privacy by Design” architecture. We help you meet the strictest requirements of the General Data Protection Regulation (GDPR) by ensuring that you—and only you—retain complete ownership and control over your users’ data.

The SDK processes all documents entirely on-device. We never see, store, or transmit your users’ documents or extracted text.

Data Processing Agreement (DPA)

While the SDK includes a default license auto-refresh feature that utilizes a pseudonymous device identifier, integrators can strictly disable all network connections to our servers.

In this configuration, absolutely no data is transmitted to us. As we do not process personal data on your behalf, we do not act as a sub-processor under GDPR, and no Data Processing Agreement is required.

DORA 🇪🇺

The Digital Operational Resilience Act (DORA) mandates that financial entities ensure they can withstand, respond to, and recover from all types of technology-related disruptions and threats.

The Genius Scan SDK is architected to support your compliance with DORA requirements:

• Offline Mode: The SDK’s core functions (scanning, image processing, OCR, and PDF generation) run entirely on the device. They do not depend on the availability of our servers. This ensures that your critical document workflows (e.g., customer onboarding, claims processing) remain operational even during network outages or if our company were to experience a service disruption. Moreover, the online license auto-refresh feature is optional and only designed to increase resilience, but can still be disabled by the integrator.
• No Data Lock-In: Since the SDK does not store your data, there is no risk of data inaccessibility due to vendor failure. You retain full custody of the generated documents at all times, supporting your exit strategies and transition plans.
• Supply Chain Security: All third-party dependencies are documented to assist you in maintaining your Software Bill of Materials (SBOM) and conducting vulnerability assessments.
• Security Updates: We provide regular SDK updates to address potential security vulnerabilities and ensure compatibility with the latest mobile operating systems.

DORA Addendum