Data Processing Agreement
Last updated: January 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer and Digital Envision LLC (trading as MedCase AI) for the provision of the MedCase AI platform.
This DPA is entered into pursuant to Article 28 of the UK GDPR and sets out the terms on which MedCase AI processes personal data on behalf of the Customer.
1. Definitions
| Term | Meaning |
|---|---|
| Controller | The Customer — the organisation that uploads medical records and instructs the processing |
| Processor | Digital Envision LLC, trading as MedCase AI |
| Data Subject | The individual whose personal data is contained in the medical records |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in the UK GDPR |
| Special Category Data | Data concerning health, as defined in Article 9 of the UK GDPR |
| Processing | Any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction |
| Sub-Processor | A third party engaged by the Processor to process personal data on behalf of the Controller |
| UK GDPR | The General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 |
2. Scope and Roles
2.1. The Customer (Controller) determines the purposes and means of processing medical record data. The Customer decides which medical records to upload, which protocols to analyse against, and how to use the resulting analysis.
2.2. MedCase AI (Processor) processes medical record data solely on the Controller's instructions and for the purpose of providing the MedCase AI platform services.
2.3. This DPA applies to all personal data processed by MedCase AI on behalf of the Customer through the Platform, including:
- Medical records uploaded by the Customer
- Text extracted from medical records
- Sanitised text (with PII removed)
- Analysis outputs (compliance findings, medical timeline, AI chat responses)
- Any personal data incidentally contained in the above
3. Subject Matter and Duration
| Subject matter | Processing of medical record data for clinical negligence compliance analysis |
| Duration | For the term of the Customer's subscription, plus any applicable retention period |
| Nature of processing | Text extraction, OCR, PII sanitisation, AI-powered compliance analysis, vector embedding, semantic search, chat-based querying |
| Purpose | To provide the Customer with protocol compliance analysis, medical timeline extraction, actionable findings, and AI-assisted case review |
| Categories of data subjects | Patients whose medical records are uploaded by the Customer |
| Types of personal data | Health data (medical records), names, NHS numbers, dates of birth, addresses, and other identifiers present in medical records (note: PII is sanitised before AI processing) |
| Special category data | Health data (Article 9 UK GDPR) |
4. Controller Obligations
The Controller shall:
4.1. Ensure it has a valid lawful basis for processing the medical record data, including a condition for processing special category data under Article 9 of the UK GDPR.
4.2. Ensure it has obtained any necessary consents or has another lawful basis for uploading medical records to the Platform.
4.3. Inform data subjects about the processing of their data in accordance with Articles 13 and 14 of the UK GDPR, where applicable.
4.4. Ensure that any instructions given to the Processor comply with applicable data protection legislation.
4.5. Maintain a record of processing activities as required by Article 30 of the UK GDPR.
5. Processor Obligations
MedCase AI shall:
5.1. Process personal data only on the documented instructions of the Controller, unless required to do so by law. The Controller's instructions are set out in this DPA and through the Customer's use of the Platform features.
5.2. Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- AES-256-GCM encryption of all medical record data at rest
- TLS encryption of all data in transit
- Triple-layer PII sanitisation (Microsoft Presidio, spaCy NER, custom regex) before transmitting data to AI sub-processors
- bcrypt password hashing for user credentials
- Rate limiting on authentication and upload endpoints
- CSRF protection on all state-changing requests
- Comprehensive security headers (CSP, HSTS, X-Frame-Options, cache control)
- Two-factor authentication for admin accounts
- Access controls based on organisation membership and role
5.4. Not engage another processor (sub-processor) without prior written authorisation from the Controller. The Controller provides general authorisation for the sub-processors listed in Section 7. MedCase AI shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
5.5. Assist the Controller in responding to requests from data subjects exercising their rights under the UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
5.6. Assist the Controller in ensuring compliance with the obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to the Processor.
5.7. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless storage is required by law.
5.8. Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. MedCase AI shall immediately inform the Controller if, in its opinion, an instruction infringes the UK GDPR or other data protection provisions.
6. PII Sanitisation — Technical Measures
Before any medical record text is transmitted to AI sub-processors (OpenRouter/Anthropic and OpenAI), MedCase AI applies the following PII sanitisation process:
Layer 1: Microsoft Presidio
Enterprise-grade PII detection with the following configuration:
- Language model: spaCy
en_core_web_lg - Detection threshold: 0.3 (aggressive)
- Entity types detected: person names, email addresses, phone numbers, NHS numbers, credit card numbers, dates, IBAN codes, IP addresses, locations, medical licence numbers, URLs, nationalities, national insurance numbers, passport numbers, and others
Layer 2: spaCy Named Entity Recognition
Independent NER analysis detecting: person names, organisation names, geographic locations, dates and times, monetary values, nationalities, and other named entities.
Layer 3: Custom Regex Patterns
30+ regular expression patterns tuned for UK medical records, detecting: NHS numbers, UK postcodes, UK phone numbers, dates of birth, age references, hospital numbers, medical record numbers, GMC/NMC numbers, national insurance numbers, driving licence numbers, bank details, full addresses, named persons with titles, consultant and GP references, and next of kin references.
Result
After sanitisation, text transmitted to AI sub-processors contains only anonymised clinical narratives with type-labelled placeholders (e.g., [PERSON], [NHS_NUMBER], [DATE]). No raw patient-identifiable information is transmitted to external services.
7. Approved Sub-Processors
The Controller provides general authorisation for the following sub-processors:
| Sub-Processor | Purpose | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | All platform data (encrypted at rest with AES-256-GCM) | Germany / Finland (EU) | EU-based, ISO 27001 certified |
| OpenRouter / Anthropic | AI analysis (Claude Sonnet 4) | PII-sanitised medical record text only | United States | Standard Contractual Clauses; only receives anonymised text |
| OpenAI | Vector embeddings (text-embedding-3-small) | PII-sanitised text chunks only | United States | Standard Contractual Clauses; only receives anonymised text |
| Stripe, Inc. | Payment processing | Billing data (no medical record data) | United States | PCI DSS Level 1; Standard Contractual Clauses |
| Resend | Transactional email delivery | Email addresses, names, email content (no medical record data) | United States | Standard Contractual Clauses |
| Sentry | Error monitoring | Error data, stack traces (no medical record content) | United States | Standard Contractual Clauses |
MedCase AI shall notify the Controller by email at least 30 days before engaging a new sub-processor or replacing an existing one. If the Controller objects to the change, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the agreement.
8. International Transfers
8.1. Medical record data is primarily stored and processed on Hetzner infrastructure located in the EU (Germany/Finland).
8.2. PII-sanitised text (containing no patient-identifiable information) is transmitted to AI sub-processors located in the United States for the sole purpose of generating compliance analysis and embeddings.
8.3. For any transfer of personal data to a country outside the UK that is not subject to an adequacy decision, MedCase AI relies on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, supplemented by additional technical measures (encryption, PII sanitisation) where appropriate.
9. Data Breach Notification
9.1. MedCase AI shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's data.
9.2. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
- The name and contact details of the data protection point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
9.3. MedCase AI shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
10. Data Subject Rights
10.1. MedCase AI shall assist the Controller in responding to requests from data subjects to exercise their rights under the UK GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
10.2. If MedCase AI receives a request directly from a data subject, it shall promptly inform the Controller and shall not respond to the data subject directly unless instructed to do so by the Controller or required by law.
10.3. The Platform provides the Controller with self-service tools for data deletion (case deletion), which permanently removes all medical record data, analysis outputs, and associated records.
11. Data Retention and Deletion
11.1. Medical record data is retained for a default period of 7 years from case creation, unless the Controller configures a different retention period or requests earlier deletion.
11.2. When a case is deleted (by user action or at the end of the retention period), the following is permanently and irreversibly removed:
- All extracted medical record text
- All text chunks and vector embeddings
- All compliance analysis results
- All findings
- All AI chat messages and responses
- The uploaded PDF file (if stored)
- All associated usage and processing records
11.3. Deletion is logged with a timestamp and reason for audit purposes.
11.4. Upon termination of the agreement, the Controller may request deletion of all data. MedCase AI shall delete all personal data within 30 days of such request, unless retention is required by applicable law.
12. Audit Rights
12.1. MedCase AI shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR.
12.2. The Controller (or an independent auditor appointed by the Controller) may conduct audits of MedCase AI's data processing activities, subject to:
- Reasonable advance notice (at least 30 days)
- Audit scope limited to matters relevant to this DPA
- The auditor being bound by appropriate confidentiality obligations
- Audits being conducted during normal business hours and in a manner that minimises disruption
12.3. MedCase AI may satisfy audit requests by providing relevant certifications, audit reports, or other documentation that reasonably demonstrates compliance.
13. Liability
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
14. Term and Termination
14.1. This DPA shall remain in effect for the duration of the Customer's subscription and for as long as MedCase AI processes personal data on behalf of the Controller.
14.2. Upon termination of the subscription, MedCase AI shall, at the Controller's choice, delete or return all personal data and delete existing copies, except where retention is required by applicable law.
15. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
16. Contact
For DPA-related enquiries:
- Data Protection Contact: privacy@medcase.ai
- General: hello@medcase.ai
- Address: Digital Envision LLC, Newcastle Upon Tyne, United Kingdom