Compliance & Security

Trust is not just a feature — it's our foundation.

Last updated: 15 May 2026

GDPR Ireland Compliance

Our platform is strictly aligned with the Irish Data Protection Act 2018 and the General Data Protection Regulation (GDPR). We facilitate all data subject rights including the right to access (GDPR Art 15), erasure (Art 17), data portability (Art 20), and lodge complaints with the Data Protection Commission at dataprotection.ie.

Granular patient consent management — 7 categories, accept-all or required-only paths
Article 28 Data Processing Agreements with every clinic customer
Records of Processing Activities (ROPA) per Art 30
Breach notification within 72h per Art 33 — see Breach Notification Runbook

Data Residency: Supabase Dublin (EU-West-1)

At MedPro AI, patient data at rest never leaves the European Union. Our primary and backup infrastructure is in Supabase Dublin (EU-West-1), built on AWS EU-West-1.

Primary storage in Dublin, Ireland (EU)
Encrypted backups with point-in-time recovery (35-day window)
Redundant architecture targeting 99.95% uptime
Strict adherence to HSE Information Security Policy

International Transfers (EU–US Data Privacy Framework)

The large majority of processing stays in the EU. Clinical text inference runs on Google Vertex AI inside the EU and does not flow to the US. A few narrow paths reach the United States, each governed by the EU–US Data Privacy Framework adequacy decision and signed sub-DPAs. See our Transfer Impact Assessment for full safeguards.

Clinical text inference (Brigid, clinical notes, document analysis) runs on Google Vertex AI in the EU (Gemini 3.5 Flash) — it does not leave the EEA
Real-time “Live with Brigid” voice uses Google AI Studio (US) under EU-US DPF + SCCs, with per-session explicit consent; EU-only tenants can disable it (fail-closed)
Voice-transcription failover (ElevenLabs, US) is used only when EU Google STT is unavailable, under SCCs + DPF
Primary voice transcription runs on Google Cloud EU (europe-west1) — audio never leaves the EEA
Patient opt-out of AI features under Me → What Brigid can do switches off the US transfer entirely

Encryption & PHI Security

Protected Health Information (PHI) is protected with enterprise-grade security layers. We use AES-256 encryption at rest and TLS 1.3 for all data in transit.

AES-256 hardware-level disk encryption
Immutable audit logs — 8-year retention per Irish Health Act 2014 §73
Mandatory 2FA for all staff accounts; WebAuthn for clinicians
Row-Level Security (RLS) on every PHI table; principle of least privilege

HSE & Irish Healthcare Alignment

Designed for the Irish healthcare landscape. Our system architecture is designed to align with HSE systems, the HSE Personal Information Disclosure Standard, PCRS billing protocols, and the Irish Medical Council (IMC) regulatory framework.

Aligned with the HSE Personal Information Disclosure Standard
Audit logs in formats accepted by IMC, CORU, IDCN, and NMBI
Integration-ready for HealthLink + Eircode-based addresses
Irish Health Act 2014 §73 patient confidentiality + audit retention

EU AI Act — Brigid as Human-Oversight AI

Brigid is operated as a high-risk AI system under Regulation (EU) 2024/1689 — Annex III point 5 (decision support for healthcare) plus Annex I once the medical-device CE marking completes. We maintain documentation, transparency, logging, and human-oversight controls required under Articles 12, 14, and 50.

EU AI Act Art 12 — append-only audit log of every AI inference
EU AI Act Art 14 — clinician must verify every AI output before action
EU AI Act Art 50 — patients are clearly informed they are interacting with AI (the Brigid orb)
Per-patient permission toggles enforced at the data layer — see Privacy Policy → AI Features

EU Medical Devices Regulation (MDR Class IIa)

MedPro AI is undergoing conformity assessment as a Class IIa medical device under EU MDR 2017/745, classified per Annex VIII Rule 11 (software as a medical device). See the dedicated Medical Device declaration for the current certification status and post-market surveillance approach.

MDR Annex VIII Rule 11 — software intended to drive a clinical decision is Class IIa
MDR Articles 83–86 — post-market surveillance system in place
Clinical Evaluation Plan + Risk Management File maintained per ISO 14971
Notified body engagement + UDI assignment under MDR Article 27 (certification in progress)