Legal & Privacy

Privacy policy, terms of service, and required disclaimers

Privacy Policy

Last updated: April 2026

What We Collect

Tessara is a monitoring tool that operates on FHIR API structural metadata only. We do not collect, store, or process protected health information (PHI).

When you use our website or contact us, we may collect:

  • Contact information (name, email, company) provided voluntarily via forms
  • Basic website analytics (page views, referrer, general location)
  • Technical logs (API endpoint URLs, resource types, conformance check results)

How We Use Data

We use collected data to:

  • Respond to inquiries and demo requests
  • Provide conformance monitoring services
  • Improve product functionality
  • Understand how our website is used

Data Sharing

We do not sell or share personal data with third parties, except:

  • When required by law
  • With your explicit consent
  • To service providers operating under strict confidentiality agreements

Data Retention

Contact form submissions are retained for 2 years. Conformance check evidence chains are retained indefinitely or until customer requests deletion. Website analytics are anonymized and retained for 13 months.

Your Rights

You have the right to:

  • Access your data
  • Request deletion
  • Opt out of analytics
  • Export your evidence chain data

Contact hello@tessara.us to exercise these rights.

Terms of Service

Last updated: April 2026

Acceptance of Terms

By using Tessara, you agree to these terms. If you do not agree, do not use the product.

Service Description

Tessara monitors FHIR API structural conformance to published Implementation Guide specifications. It does NOT provide legal advice, regulatory certification, or compliance guarantees.

User Responsibilities

You are responsible for:

  • Ensuring you have authorization to monitor the target FHIR APIs
  • Reviewing conformance findings with qualified compliance professionals
  • Making final determinations about regulatory compliance
  • Securing your Ed25519 signing keys

Limitations of Liability

Tessara is provided "as is" without warranty of any kind. We are not liable for:

  • Regulatory enforcement actions
  • Decisions made based on conformance reports
  • Service interruptions or data loss
  • Third-party FHIR API changes or unavailability

Termination

Either party may terminate service with 30 days' notice. Upon termination, you retain access to your evidence chain data for 90 days.

Required Legal Disclaimers

Product Output Disclaimer

This product identifies potential specification conformance drift for investigational purposes. Results should be reviewed by qualified compliance professionals. This product is not endorsed by, affiliated with, or a substitute for ONC-certified conformance testing programs.

Regulatory Disclaimer

Tessara monitors API structural conformance to published FHIR Implementation Guide specifications. It does not provide legal advice, regulatory certification, or compliance guarantees. Organizations should consult qualified compliance professionals and legal counsel regarding their regulatory obligations under CMS-0057-F.

HL7 Trademark Notice

HL7, FHIR and the FHIR [FLAME DESIGN] are registered trademarks of Health Level Seven International and their use does not constitute endorsement by HL7.

Government Disclaimer

This product is not endorsed by, affiliated with, or approved by the Centers for Medicare & Medicaid Services (CMS), the Office of the National Coordinator for Health Information Technology (ONC), or any federal agency.

Responsible Disclosure

Tessara welcomes coordinated vulnerability reports. Current contact channels, our PGP public key, and the canonical disclosure policy URL are published in our security.txt (RFC 9116). Please use the contact methods listed there to report any suspected vulnerability in Tessara's software, services, or website.

We commit to acknowledging good-faith reports within two business days, patching P0 (critical) vulnerabilities within seven calendar days of validation, and publicly disclosing the issue and fix no later than 90 days after the fix ships — earlier on mutual agreement with the reporter.

Safe harbor: Tessara will not pursue legal action against security researchers who act in good faith, follow this policy, avoid privacy violations and service degradation, do not access data beyond the minimum necessary to demonstrate a vulnerability, and give us a reasonable window to remediate before any public disclosure. Activities consistent with this policy are considered authorized under the Computer Fraud and Abuse Act and equivalent state and international laws.

Questions? Contact us at hello@tessara.us