🔒 Data Security, Privacy, and Technical Compliance Document
Executive Summary
The MindWare Data Acquisition systems (including the MindWare BioNex, Mobile, and FLIP systems) are designed to minimize risk to institutional networks and patient privacy by operating on a completely isolated wireless network. The supplied router creates a dedicated, self-contained connection that requires no access to the campus network infrastructure, simplifying deployment and eliminating external security concerns. The university IT department is not responsible for the management, maintenance, or monitoring of this dedicated MindWare network or the provided router.
The core systems collect only raw physiological waveforms (such as ECG/EKG, ICG, and GSC) which are not personally identifiable (PII) and do not utilize Protected Health Information (PHI). This adherence to data minimization principles aligns with GDPR Article 5(1)(c). The definition of PHI is legally established in 45 CFR § 160.103. If the customer integrates optional equipment for Audio/Video (AV) recording using VideoSyncPro (Mangold International’s AV recording software) and subsequent behavioral analysis with INTERACT (Mangold’s behavioral coding software), this data inherently contains PII (e.g., faces, voices). MindWare explicitly states it will only receive de-identified raw physiological data and never the associated audio/video files. The secure handling and complete de-identification of all AV data is the sole responsibility of the customer.
All acquired data is stored locally on the user’s PC. MindWare has completed the HECVAT and VPAT for reference, which are available for download below.
Table of Contents
- MindWare Data Acquisition Systems: Data Handling and Network Isolation
- Technical Specifications and Network Protocols
- Personally Identifiable Information (PII) and HIPAA Compliance
- BioLab Software and Data Storage
- Audio/Video Data Acquisition and Handling (PII Alert)
- Data Security Assessment: HECVAT Compliance Summary
- Accessibility Conformance: VPAT (Section 508 & WCAG)
💻 MindWare Data Acquisition Systems: Data Handling and Network Isolation
MindWare Data Acquisition systems (including the Mobile, BioNex, and FLIP platforms) collect raw physiological waveforms (e.g., ECG/EKG, ICG, GSC, etc.). Importantly, the data transmitted are not personally identifiable (no PII), as the data streams contain only the raw physiological information itself. The systems are designed for research and are not FDA approved for the treatment of any disease state.
Included Systems and Part Numbers
| System | Core Item Numbers | Description |
|---|---|---|
| MindWare Mobile Device | 50-2303-00 | Wireless physiological data acquisition. |
| MindWare BioNex | 50-3711-08, 50-3711-08-AU, 50-3711-08-CN, 50-3711-08-EU, 50-3711-08-IL, 50-3711-08-UK | Multi-channel physiological recording system. |
| FLIP (Field Lab Platform) | 50-8100-00, 50-8100-01 | Portable audio/video, networking system |
| FLIP Accessories | 50-8101-00, 50-8102-00, 50-8103-00, 50-8104-00 | Dependent components that do not function independently of the core FLIP system. |
Isolated Network and Router Function
The data is wirelessly transmitted from the device to a secure, local, isolated wireless router network. This router (part number 92-0242-00) creates a dedicated, self-contained network for the MindWare system and its connected local PC.
- Dual-Band Operation: The supplied Wireless Dual Band Router broadcasts on both 2.4 GHz and 5 GHz bands to ensure robust connectivity, as detailed in the technical specifications below.
- Interference Mitigation: During power-up, the router is configured to automatically scan and select the least busy frequency channel available. This feature actively minimizes potential interference with the university’s existing wireless systems.
- Remote Support for Frequency Adjustment: MindWare Support is able to remotely log into the router to disable or adjust broadcast frequencies if needed. This provides an additional layer of control to ensure the dedicated MindWare network does not interfere with the larger campus infrastructure.
- No Campus Network Access Required: The MindWare system operates independently and does not require any access to the campus network to function properly.
- Minimal IT Support & Management Responsibility: The university IT department is not responsible for the ongoing management, maintenance, or monitoring of the MindWare network (including the supplied router). This responsibility remains entirely with MindWare Support and the local researcher for physical access control.
⚙️ Technical Specifications and Network Protocols
The MindWare Data Acquisition systems are designed to work on private research networks where the data collection host computer and the devices are all on the same subnet.
Wireless Specifications
| Feature | Details |
|---|---|
| Protocols | 802.11 a, b, g, n (single-stream) |
| Bands | 2.4 GHz, 5 GHz (20 MHz channel separation) |
| Supported Channels | 1-13, 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 140 (Channels 149-165 in the 5GHz band are not supported) |
| Encryption Modes | TKIP, AES |
| Authentication Modes | WEP, WPA-PSK, WPA2-PSK |
Network Communication and Device Detection
| Feature | Details |
|---|---|
| Host Computer to Mobile | UDP broadcast to port 1775 |
| Mobile to Host Computer | Direct TCP connection to port 1775 |
| Sustained Data Rate | Up to 60kbit/s |
The MindWare systems are designed to be auto-detected by the BioLab software running on the host computer via a broadcast UDP packet. For cases where broadcast UDP packets are blocked, the user can perform a manual connection request through BioLab (version 3.1x or later) by sending a direct UDP packet to a specific IP address.
Roaming and Custom Configuration
While the devices will roam on networks with multiple access points, the roaming event temporarily interrupts the data flow. In dense network situations, it is highly advisable to set up a non-roaming private network for the MindWare unit to maintain optimal data integrity.
Firmware revision 0.9.7 and above allow for manual SSID entry and static IP addresses for advanced custom configurations.
⚕️ Personally Identifiable Information (PII) and HIPAA Compliance
MindWare is committed to compliance with all domestic and international ethical review boards and GDPR regulations by ensuring its core physiological data streams are non-identifiable, embodying the principle of Data Minimisation.
GDPR Alignment (MindWare Core Data)
MindWare’s practice of collecting only raw, non-identifiable physiological data aligns directly with the core principle set forth in GDPR Article 5(1)(c):
“Personal data shall be: (…) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).”
HIPAA Compliance and PHI Definition
MindWare follows all HIPAA compliance rules and regulations when applicable. However, the system is engineered to avoid the necessity of handling Protected Health Information (PHI).
The core definition of Protected Health Information (PHI) under the HIPAA Privacy Rule is defined in 45 CFR § 160.103 as individually identifiable health information transmitted or maintained by a covered entity. MindWare systems do not receive, maintain, or transmit this type of data.
- No PHI Required: MindWare’s Data Acquisition systems do not require the utilization of an individual’s personal health information (e.g., medical records, substance abuse records, treatment plans, or psychotherapy notes) to work properly.
- No Authorization Needed: For the reasons above, HIPAA-compliant authorization is not required for MindWare Data Acquisition Systems. The authorization requirement for uses and disclosures of PHI is defined in 45 CFR § 164.508. MindWare will not be given access to, or request, any personal files that contain patient PHI.
- Data Analysis Service: MindWare’s Data Analysis Service does not qualify for HIPAA compliance as they never receive PHI, individually identifiable health information, psychotherapy notes, or records of substance abuse and treatment.
- Data De-identification: To ensure data privacy, all data sent to MindWare for analysis must be properly de-identified prior to transfer. The only identifier provided to MindWare will be a “subject ID,” but MindWare will not have any key links back to identifiable subject information.
💾 BioLab Software and Data Storage
BioLab is the data acquisition platform used with the MindWare system. Secure storage is the responsibility of the user, as BioLab does not employ user management features.
- Local Data Storage: All data is stored locally to the data acquisition computer (or some shared resource, although this is not recommended). The data is transmitted only on the local, isolated network. MindWare will not have access to any external database.
- Secure Storage Responsibility: Once the data is collected, the user is responsible for moving it to a secure, encrypted location if needed.
- Access Management: Access to the data acquisition computer should be managed through Windows logins, and any access logs can be made available through that operating system.
📹 Audio/Video Data Acquisition and Handling (PII Alert)
MindWare often includes optional equipment and the associated software, VideoSyncPro and INTERACT, within a larger quote for synchronized data recording and analysis.
VideoSyncPro is Mangold International’s audio/video recording software used for high-precision capture. INTERACT is Mangold’s behavioral coding and analysis suite used to analyze the A/V files recorded by VideoSyncPro.
Unlike the raw physiological data, AV files almost always contain Personally Identifiable Information (PII) or Protected Health Information (PHI).
MindWare’s Role and Data Ownership
- Equipment and Licensing: MindWare’s role is strictly limited to providing the AV acquisition equipment and facilitating the license acquisition for the synchronization software (VideoSyncPro) and analysis suite (INTERACT).
- No Data Handling: MindWare will only receive de-identified raw physiological data and never the associated audio/video files. MindWare does not process, store, transmit, or view AV data at any time. The AV files are stored locally on the customer’s acquisition computer.
Mangold Software Systems and Part Numbers (Acquired via MindWare Quote)
| System / Component | Item Numbers |
|---|---|
| VideoSyncPro Base License & Variations | 62-2230-00, 62-2230-01, 62-2230-02, 62-2230-03, 62-2234-00 |
| INTERACT Base License & Modules | 62-2231-00, 62-2231-01, 62-2231-02, 62-2231-03, 62-2231-04, 62-2231-05 |
Mangold’s VideoSyncPro/INTERACT Security Architecture & Functional Compliance with International Ethics Standards
Mangold International operates under the stringent European General Data Protection Regulation (GDPR), and its software architecture (VideoSyncPro for capture, INTERACT for analysis) is built to satisfy this mandate, ensuring compliance with the highest international data privacy standards. This rigorous design functionally satisfies the data protection requirements typically enforced by domestic and international ethical review boards (IRB).
GDPR Alignment (VideoSyncPro/INTERACT Security)
VideoSyncPro and INTERACT’s security features directly address the requirements for protecting personal data set forth in GDPR Article 5(1)(f):
“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
| Security Feature | Compliance Function |
|---|---|
| Secure File Erasure (7x Overwrite) | Guarantees non-recoverability of sensitive data, exceeding common standards for verifiable, irreversible destruction (required by IRB protocols). |
| Local, GDPR-Compliant AI Processing | Eliminates external data exposure risk by ensuring sensitive audio/video data (for features like transcription) never leaves the user’s secured local system. |
| Role-Based Access Control | Enforces the Principle of Least Privilege, allowing researchers to strictly limit sensitive data access to only authorized personnel. |
| Data Integrity Checks | Automatically verifies the authenticity of recordings through internal processes, ensuring the evidentiary integrity of collected observational data. |
Customer Responsibility for AV Data
Because AV data contains faces, voices, and potentially explicit identifiers, the customer holds full and sole responsibility for ensuring compliance with all institutional policies, state/federal laws (including HIPAA), and ethical review boards regarding this highly sensitive data type. This includes:
- Informed Consent: Securing explicit consent for recording PII/PHI.
- Secure Storage: Ensuring the AV files are stored in a secure, encrypted, access-controlled environment (e.g., approved institutional servers, not unencrypted local drives).
- De-identification: AV files must be completely stripped of all PII/PHI before any transfer or sharing outside the local secure environment (e.g., sharing with collaborators). This may require manual blurring, pixelation, or voice masking.
🛡️ Data Security Assessment: HECVAT Compliance Summary
MindWare has completed the HECVAT (Higher Education Community Vendor Assessment Toolkit) using the Full version (v3.06, dated 2025-12-30) to facilitate the institution’s risk review process. The assessment confirms that due to the on-premise, isolated nature of the MindWare system, many high-risk security domains are marked as “Not Applicable” (N/A), simplifying the compliance review.
General Assessment Information
| Field | Detail |
|---|---|
| Vendor Name | MindWare Technologies Ltd |
| Product Name | BioLab 3.4 |
| Product Description | Physiology data acquisition/analysis |
| Vendor Contact Name | Eric Morgan |
| Vendor Contact Email | [email protected] |
Key Compliance Qualifiers (High-Risk Questions)
The following summarizes MindWare’s responses to the highest-risk qualifying questions, confirming alignment with the local, isolated nature of the system:
| HECVAT Question (ID) | MindWare Response | Compliance Implication |
|---|---|---|
| Does your product process Protected Health Information (PHI) or any data covered by HIPAA? (QUAL-01) | No | Reinforces that the system does not handle PHI, mitigating HIPAA-related assessment requirements. |
| Will institution data be shared with or hosted by any third parties? (QUAL-02) | No | Confirms institutional data remains locally controlled and is not hosted by MindWare or a secondary third-party vendor (e.g., AWS, Azure, Google Cloud). |
| Is the vended product designed to process or store Credit Card information? (QUAL-05) | No | Confirms the product is not in scope for PCI DSS compliance, eliminating the need for complex payment security reviews. |
| Do you have a well documented Business Continuity Plan (BCP) that is tested annually? (QUAL-03) | Not Applicable | This is N/A because the data resides entirely on the institution’s premises and is managed by the institution. |
| Do you have a well documented Disaster Recovery Plan (DRP) that is tested annually? (QUAL-04) | Not Applicable | This is N/A because the data resides entirely on the institution’s premises and is managed by the institution. |
The complete HECVAT response document is available for review: Download MindWare HECVAT Full (PDF)
♿ Accessibility Conformance: VPAT (Section 508 & WCAG)
MindWare understands the critical importance of digital accessibility in higher education, as required by Section 508 of the Rehabilitation Act and related institutional policies. We have completed a Voluntary Product Accessibility Template (VPAT) for the BioLab 3.4 software to document its conformance to recognized accessibility standards.
| Feature | Details |
|---|---|
| Product | BioLab 3.4 |
| Report Date | 11/4/2025 |
| Standard | Revised Section 508 Edition (Based on VPAT Version 2.5) |
| WCAG Conformance | Conforms to WCAG 2.0 Level A and Level AA |
The full VPAT document, BioLab VPAT, is available here: Download BioLab 3.4 VPAT (PDF)