Security & Compliance

Healthcare-grade data protection for AI-assisted clinical documentation

Eva records a consult, drafts a clinically structured note, and hands it back to your clinician to review and finalize. Because Eva can process sensitive patient information, we treat security and data governance as part of the product — not a footnote.

This page describes what is true today. Where something is still being built, we mark it In progress, so this page also tracks what is left to finish.

Eva's specific infrastructure and vendor choices are proprietary, so we describe how your data is protected at a posture level. The named subprocessor register and detailed audit-log records are available to you and your compliance reviewer on request, under NDA.

A clinician finalizes every note

This is the boundary that matters most: Eva produces a draft; a human decides.

  • Eva captures and documents your clinical decisions. She does not make them.
  • Eva never issues a diagnosis or a prescription as her own. Those come only from what your clinician says and decides.
  • Your clinician reviews and finalizes every note before it enters the patient record.
  • Eva never writes notes into your practice-management system (PMS) on her own. The finalized note is copied in by your team.

Eva improves the completeness and consistency of your documentation. She does not replace clinical judgment, and she does not give legal or standard-of-care advice.

How Eva uses AI safely

Eva documents only what your consult evidenced.

Eva drafts every note from your captured consult (the transcript and your team's notes), never from other consults, templates, or outside knowledge. She flags any tooth or diagnosis she cannot tie back to the consult for your review, keeps ambiguous findings general with a “please verify” marker rather than guessing, and only ever echoes fees a human set — she never introduces or silently changes a fee amount. Every note is a draft your clinician reviews and signs.

Your data does not train third-party AI models.

Patient data is never used to train our AI providers' models. We select providers that offer no-training / zero-retention terms, and confirm those terms in writing before any patient data is sent. (Vendor no-training / zero-retention terms are being confirmed in writing as part of each provider agreement; see “Vendors and subprocessors” below.)

Eva's own learning is opt-in and de-identified.

Eva improves herself from your data only if you opt in (this learning is off by default) and only from de-identified examples reviewed by our team. Never automatically, and never sent to a vendor for training.

What happens to your data

One consult, followed from the microphone to your chart. A clinician reviews and signs the note, and Eva never writes to your practice-management system; your team copies the finalized note in.

Audio

1 · Record the consult

You confirm recording consent, then record. Retention of the raw audio is clinic-controlled: keep it (default), delete after the note is signed, or delete after a set number of days. Only the raw audio is ever deleted — and every deletion is written to your audit trail.

Always kept

2 · Clinical-tier transcript

Eva turns the audio into a transcript of what was actually said. The transcript is kept as part of your record even when the raw audio is later deleted.

Always kept

3 · Source-grounded note

Eva drafts a note grounded only in that consult, flagging anything she can't tie back to what was said. A clinician reviews and signs it before it enters the record.

Always kept

4 · Chart-ready draft

Your team copies the finalized note into your PMS by clipboard. Eva never writes to your PMS on her own.

Security: how we protect your data

Each control below is in place today.

Per-clinic tenant isolation (at the database level)

Each clinic's data is isolated at the database level. One clinic cannot read, change, or even see another clinic's records. This is enforced in the database itself, not just in the application.

In place

Encryption in transit

All connections use encrypted transport (TLS). Traffic to our database runs over a verified TLS channel, the application is HTTPS throughout, and outbound calls are refused over plaintext.

In place

Encryption at rest (AES-256)

Stored data (including consult audio) is encrypted at rest with AES-256 by our cloud platform.

In place

Approved-providers-only for patient data

Patient data is only ever sent to reviewed, approved providers. Anything not on the approved list is refused at the point of sending: it is blocked, not quietly used.

In place

No patient data in system logs

Application logs carry structured identifiers and counts only — never patient content.

In place

Error monitoring scrubbed of patient data

Crash and error reports are stripped of identities and free-form content before any event leaves Eva.

In place

Tamper-evident audit trail

We keep an append-only record of key actions on your clinic's data: record changes, note sign-off, configuration changes, note copied to your practice system, every audio deletion — and who opened which patient record or consult, per person, per day. Every entry can be added but never edited or deleted, so the record is tamper-evident. Clinic owners can view and export their access log in Eva; the detailed trail is available to you or your compliance reviewer on request.

In place

Per-person sign-in & role-based access

Each team member signs in with their own personal code on the clinic account, and every sign-in — including failed attempts — is recorded. Roles set what each person can see: account and billing settings stay with the account holder, and clinical detail is limited to clinical roles, with per-person grants when an office runs differently.

In place

Your patients' data rights

Audio retention and deletion: you control it.

You choose what happens to raw consult recordings. Keep them indefinitely (the default), delete them once a note is signed off, or delete them after a set number of days. Only the raw audio is ever deleted; transcripts and clinical notes are always kept as your record — and every deletion is written to your audit trail.

Recording consent and disclosure.

Eva's consult recorder confirms recording consent before a session begins. Eva also provides patient-facing disclosure wording for AI-assisted documentation and recorded consults. Consent law varies by jurisdiction, so the practice remains responsible for meeting its local requirements. Eva supports the workflow; she does not replace your legal review. (Versioned, auditable consent records and region-aware disclosure copy are being finalized — In progress.)

Data export on request.

Clinics can delete patient records today. A portable patient-data export (a data subject access request, or DSAR) is being built — In progress.

Compliance by region

Eva is built as a global, multi-clinic product. What a clinic needs from us depends on where it operates and whose law governs its patients' data. We enable a region only when the controls that region requires are real for that clinic, and we render every requirement at its true status.

Guyana and the Caribbean (CARICOM): our first markets

In progress

For clinics operating under Guyana's Data Protection Act and comparable Caribbean data-protection law, Eva's posture is:

  • Technical and organisational safeguards: encryption in transit and at rest, per-clinic isolation, and a tamper-evident audit trail. In place.
  • A data-processing agreement (DPA) between Eva and your clinic, the correct instrument here (a US-style HIPAA BAA is not the instrument this region requires). Provided on request; put in place per clinic before real patient data.
  • Patient consent and AI disclosure: explicit, specific, withdrawable consent for processing health data. Configured per clinic.
  • A lawful cross-border-transfer basis: because our stack processes data outside Guyana, we make that transfer explicit and gated, with a recorded lawful basis, rather than silent. Recorded per clinic before go-live.

A clinic reaches go-live in this region through its own instruments: a signed DPA, configured consent, and a recorded transfer basis, confirmed per clinic. None of it is assumed by default.

United States: HIPAA (on the roadmap)

In progress

Eva is designed for HIPAA-aligned deployment. The technical safeguards a HIPAA deployment relies on (encryption, per-clinic isolation, a tamper-evident audit trail, and approved-vendor controls for patient data) are in place today.

Before any US clinic processes real patient data (ePHI), signed Business Associate Agreements (BAAs) must be in place: between Eva and the clinic, and with the vendors that can touch that data. BAAs are available from our vendors; the signed BAAs, a security risk assessment, written policies, and workforce training are the remaining steps. Eva's HIPAA status today: technical safeguards in place; the signed agreements and formal assessments behind a “HIPAA compliant” or “certified” label are in progress and tracked on this page.

United Kingdom and EU: GDPR / UK GDPR (on the roadmap)

In progress

For UK and EU clinics, Eva is built toward GDPR / UK GDPR alignment with the clinic as controller and Eva as processor. Our data map and processing records exist today; a Data Processing Agreement (DPA), a data-protection impact assessment (DPIA), and a data export/erasure (DSAR) workflow are in progress. As with every region, the practice remains responsible for its own legal review.

Other regions

Clinics elsewhere are supported through a practice-specific review rather than a broad promise. Talk to us about your jurisdiction and we will tell you what is ready and what is not.

Business Associate Agreements (BAAs)

A BAA is the HIPAA instrument for US clinics. It is notrequired for clinics operating under Guyana's or other Caribbean data-protection law; there, the correct instrument is a DPA.

  • For US clinics, BAAs are available from our vendors, and Eva will put a BAA in place with your clinic when you are ready to move to real patient data.
  • No Eva BAA is signed today, and Eva does not operate in US-HIPAA production-PHI mode. BAA status is confirmed per clinic before any real patient data.

Vendors and subprocessors

Eva relies on a small set of vetted third parties for hosting, AI processing, and error monitoring, each under an appropriate agreement. AI healthcare buyers know third parties are involved; trust comes from being clear about who touches what and under what terms, and from refusing to send patient data to anything off the approved list.

Our specific architecture and vendor choices are proprietary. The full named subprocessor register (vendor names, the data each one touches, and the agreement covering it) is available to you and your compliance reviewer on request, under NDA. We do not publish the named vendor list on this page.

Documentation available on request

We prepare and provide the following to you or your compliance reviewer on request, under NDA. We show that we hold them; the contents stay request-only:

  • Data Processing Agreement (DPA)
  • Named subprocessor register
  • Security overview
  • Breach-response procedure

What's in place, and what we're still building

One live tracker. This updates as each item lands.

In place today

  • Per-clinic data isolation at the database level
  • Encryption in transit (TLS) and at rest (AES-256)
  • Approved-AI-providers-only for patient data
  • No patient data in logs or error reports
  • Tamper-evident, append-only audit trail
  • A clinician finalizes every note: Eva never auto-writes to your PMS, never diagnoses, never prescribes
  • Clinic-controlled audio retention and deletion (audio only; transcripts and notes always kept)
  • Eva's own learning is opt-in and de-identified

In progress / on the roadmap

  • Confirmed vendor no-training / zero-retention terms in signed agreements
  • Versioned, auditable recording-consent records and region-aware disclosure
  • Portable patient-data export (DSAR)
  • Signed Business Associate Agreements (BAAs) for US clinics
  • Formal breach-notification procedure
  • Regional go-live instruments per clinic: DPA, consent, and cross-border-transfer basis (Guyana/Caribbean first)

No independent certification is held yet; the regional sections above track exactly where we are.

Talk to us

Bringing Eva to your clinic or reviewing her for a group? We are happy to walk your compliance reviewer through our posture and share the documentation above under NDA.

This page reflects Eva's controls as of 2026-07-01 and is maintained as they change. It describes platform controls; each practice remains responsible for consent, disclosure, and legal compliance in its own jurisdiction. This is not legal advice.