Ethics & Privacy
Affective computing has a credibility problem, and it earned it. VEXKIO's architecture was designed to answer one question first: if a regulator walks in, can we defend this? Every commitment below is load-bearing in the code.
Commitment 01
The VEXKIO SDK extracts MediaPipe landmarks in the browser and ships only 12-feature windows to our API. There is no endpoint at vexkio.com that accepts a frame. This is engineering, not policy — if an attacker compromised our network, there would be no biometric images to exfiltrate because the SDK never produced any.
Commitment 02
Every VEXKIO session carries a consent_id. The API rejects any inference call without an active record. Revocation is GDPR Art. 17 grade: DELETE /v1/consent/{session_id} cascades across inference_results, analysis_sessions, and the audit log within 72 hours.
Commitment 03
VEXKIO Wellbeing aggregates team-level wellbeing signals with a mandatory k-anonymity floor (k = 5). There is no product surface that lets a manager see one employee's emotional signal. The database schema refuses to store per-user wellbeing rows.
Commitment 04
VEXKIO Kids uses a dedicated model trained on child facial expressions with a simpler taxonomy (happy, sad, confused, bored, excited). Parental consent is mandatory, not implied. The kids product does not surface 'friction' or 'disengagement' scores — only primary affect.
Commitment 05
A structlog processor (BiometricScrubbingProcessor) raises ComplianceError the moment any handler tries to log ear_*, mar_*, gaze_*, head_*, or landmarks. The enforcement is at the call site — a developer cannot accidentally add a log line that leaks PII.
Commitment 06
Our SOC 2 Type II report, GDPR Art. 9 DPIA, and HIPAA-readiness attestation are available under NDA. Our architecture choices — no video storage, consent-gated APIs, append-only audit logs — are all readable in the public spec at VEXKIO_MASTER.md.
Questions, audits, or responsible-disclosure reports go to security@vexkio.com.