MedProAI

Compliance & Security

Trust is not just a feature — it's our foundation.

Last updated: 15 May 2026
⚖️

GDPR Ireland Compliance

Our platform is strictly aligned with the Irish Data Protection Act 2018 and the General Data Protection Regulation (GDPR). We facilitate all data subject rights including the right to access (GDPR Art 15), erasure (Art 17), data portability (Art 20), and lodge complaints with the Data Protection Commission at dataprotection.ie.

Granular patient consent management — 7 categories, accept-all or required-only paths
Article 28 Data Processing Agreements with every clinic customer
Records of Processing Activities (ROPA) per Art 30
Breach notification within 72h per Art 33 — see Breach Notification Runbook
🏢

Data Residency: Supabase Dublin (EU-West-1)

At MedPro AI, patient data at rest never leaves the European Union. Our primary and backup infrastructure is in Supabase Dublin (EU-West-1), built on AWS EU-West-1.

Primary storage in Dublin, Ireland (EU)
Encrypted backups with point-in-time recovery (35-day window)
Redundant architecture targeting 99.95% uptime
Strict adherence to HSE Information Security Policy
🌍

International Transfers (EU–US Data Privacy Framework)

Most processing stays in the EU. Two narrow paths flow to the United States, both governed by the EU–US Data Privacy Framework adequacy decision and signed sub-DPAs. See our Transfer Impact Assessment for full safeguards.

Anthropic Claude (US) — AI text inference under EU-US DPF + Article 28 sub-DPA, no-training, zero-retention
Google Gemini (US) — AI text inference under same DPF + sub-DPA terms
Voice transcription runs on Google Cloud EU (europe-west1) — audio never leaves the EEA
Patient opt-out of AI features under Me → What Brigid can do switches off the US transfer entirely
🔒

Encryption & PHI Security

Protected Health Information (PHI) is protected with enterprise-grade security layers. We use AES-256 encryption at rest and TLS 1.3 for all data in transit.

AES-256 hardware-level disk encryption
Immutable audit logs — 8-year retention per Irish Health Act 2014 §73
Mandatory 2FA for all staff accounts; WebAuthn for clinicians
Row-Level Security (RLS) on every PHI table; principle of least privilege
🏥

HSE & Irish Healthcare Alignment

Designed for the Irish healthcare landscape. Our system architecture supports integrations with HSE systems and aligns with the HSE Personal Information Disclosure Standard, PCRS billing protocols, and the Irish Medical Council (IMC) regulatory framework.

Aligned with the HSE Personal Information Disclosure Standard
Audit logs in formats accepted by IMC, CORU, IDCN, and NMBI
Integration-ready for HealthLink + Eircode-based addresses
Irish Health Act 2014 §73 patient confidentiality + audit retention
🤖

EU AI Act — Brigid as Human-Oversight AI

Brigid is operated as a high-risk AI system under Regulation (EU) 2024/1689 — Annex III point 5 (decision support for healthcare) plus Annex I when integrated with the CE-marked medical device. We maintain documentation, transparency, logging, and human-oversight controls required under Articles 12, 14, and 50.

EU AI Act Art 12 — append-only audit log of every AI inference
EU AI Act Art 14 — clinician must verify every AI output before action
EU AI Act Art 50 — patients are clearly informed they are interacting with AI (the Brigid orb)
Per-patient permission toggles enforced at the data layer — see Privacy Policy → AI Features
🩺

EU Medical Devices Regulation (MDR Class IIa)

MedPro AI is CE-marked as a Class IIa Medical Device under EU MDR 2017/745, classified per Annex VIII Rule 11 (software-as-medical-device). See the dedicated Medical Device declaration for our notified body, UDI, and post-market surveillance.

MDR Annex VIII Rule 11 — software intended to drive a clinical decision is Class IIa
MDR Articles 83–86 — post-market surveillance system in place
Clinical Evaluation Plan + Risk Management File maintained per ISO 14971
Notified body certification + UDI under MDR Article 27 (pending public registration)