Trust Centre
Security, UK GDPR, and AI limitations.
One page for procurement, DPOs, and clinical-risk teams: how MedCase handles medical records, what UK GDPR support looks like in practice, and where AI ends and qualified human review begins.
Encryption at rest
AES-256-GCM
Data hosted in
Europe
Registered with
UK ICO
Used to train AI
No
Data security
How MedCase handles your records.
Encryption at rest
AES-256-GCM with per-record nonce and 128-bit authentication tag for tamper detection.
European hosting
All data stored and processed within Europe.
Access controls
Organisation-based access with optional case-level visibility, role-based controls, and authenticated audit trails.
Audit logging
Every record access, analysis run, and case action is logged for review.
Platform safeguards
Rate limiting, CSRF protection, and security headers across all surfaces.
No training on records
AI providers used by MedCase are configured to disable training on submitted prompts and outputs.
UK GDPR
Built to support UK GDPR requirements.
PII sanitisation, audit logging, and European hosting underpin how we process medical records in the context of legal claims.
Lawful basis (Article 6)
Article 6(1)(f) legitimate interest in the context of legal claims, or another applicable Article 6 basis identified by the controller.
Special category (Article 9)
Article 9(2)(f), establishment, exercise, or defence of legal claims, for clinical negligence assessment.
Controller / processor
The firm or organisation that uploads records is typically the controller; MedCase acts as processor under a DPA.
Data minimisation
PII sanitisation removes direct identifiers before any text reaches an AI provider.
PII sanitisation
Three layers, before any AI sees the record.
Direct identifiers are replaced with placeholder tags so the AI sees the clinical content, not the patient.
01
Microsoft Presidio
Enterprise PII detection engine for names, dates, locations, contact details, and similar entities.
02
spaCy NER
Named entity recognition catches person, organisation, and location entities that pattern matching alone may miss.
03
UK medical regex
30+ patterns tuned for NHS numbers, GMC numbers, UK postcodes, NHS trust names, and similar identifiers.
Result
Output: [PATIENT], DOB [DATE], NHS No: [NHS_NUMBER], seen at [HOSPITAL]
AI limitations and human review
MedCase is an analytical aid, not a decision.
MedCase uses AI to assist in the review of medical records against established clinical standards. The output is an analytical aid for qualified legal and medical professionals. It does not constitute medical advice, a diagnosis, a legal opinion, or a determination of negligence. All outputs should be reviewed and verified by a qualified solicitor and/or medical professional before use in any legal matter.
Findings are presented with severity scores (1 to 10) to help prioritise professional review, not to determine negligence or causation. Every finding includes an evidence quote, a protocol reference, and a page citation so a reviewer can verify the underlying source.
Customer records used to train AI
No.
Model training policy
Your records are not used to train models.
Customer records are processed solely to produce the analysis for the customer that uploaded them. AI providers used by MedCase are configured to disable training on submitted prompts and outputs.
Data retention
Retention you can configure.
7 years
Default retention, aligned with typical clinical negligence limitation periods.
Configurable
Shorter or longer retention can be agreed in the DPA per organisation.
Deletion on request
Case-level deletion supported. Right-to-erasure requests actioned within the DPA timelines.
End of contract
Records exported on request and deleted in line with the contractual handover schedule.
Subprocessors
Named subprocessors and transfer safeguards.
MedCase uses a small number of named subprocessors. PII sanitisation runs before any text is sent to AI providers. Where data leaves the UK or EEA, transfers are protected by EU Standard Contractual Clauses and the UK International Data Transfer Addendum.
| Subprocessor | Purpose | Country | Transfer safeguard |
|---|---|---|---|
| Anthropic | Large language model (Claude) for protocol analysis and AI case chat | United States | EU SCCs and UK IDTA addendum; PII sanitised before any data is sent |
| OpenAI | Embeddings for semantic search over protocols and records | United States | EU SCCs and UK IDTA addendum; PII sanitised before any data is sent |
| AWS (Europe regions) | Cloud hosting and storage for application and encrypted records | European Union (Ireland) | EU/UK hosted; no transfer outside Europe |
| Stripe | Subscription billing and payment processing | Ireland / United States | EU SCCs and UK IDTA addendum; payment data only, no medical records |
| Resend | Transactional email delivery | United States | EU SCCs and UK IDTA addendum; contact data only, no medical records |
| Sentry | Error monitoring and observability | United States | EU SCCs and UK IDTA addendum; PII scrubbing enabled at SDK level |
Anthropic
Large language model (Claude) for protocol analysis and AI case chat
- Country
- United States
- Safeguard
- EU SCCs and UK IDTA addendum; PII sanitised before any data is sent
OpenAI
Embeddings for semantic search over protocols and records
- Country
- United States
- Safeguard
- EU SCCs and UK IDTA addendum; PII sanitised before any data is sent
AWS (Europe regions)
Cloud hosting and storage for application and encrypted records
- Country
- European Union (Ireland)
- Safeguard
- EU/UK hosted; no transfer outside Europe
Stripe
Subscription billing and payment processing
- Country
- Ireland / United States
- Safeguard
- EU SCCs and UK IDTA addendum; payment data only, no medical records
Resend
Transactional email delivery
- Country
- United States
- Safeguard
- EU SCCs and UK IDTA addendum; contact data only, no medical records
Sentry
Error monitoring and observability
- Country
- United States
- Safeguard
- EU SCCs and UK IDTA addendum; PII scrubbing enabled at SDK level
Subprocessor changes are notified to customers via the contact email on the account. The current authoritative list is in the DPA; mail hello@medcase.ai if you need a signed copy.
DPA and DPIA support
For procurement and InfoSec.
DPA
Available on all plans, on request. Mail hello@medcase.ai with your firm name and we will share the template.
DPIA support
We are happy to support a customer-led DPIA with technical detail, risk descriptions, and mitigations.
Security questionnaires
Procurement and InfoSec questionnaires are handled by our team. Allow about 5 working days for completion.
Automated decision-making
No solely automated decisions about claimants.
MedCase outputs are decision-support for qualified legal and medical professionals. They do not constitute solely automated legal or similarly significant decisions about claimants within the meaning of UK GDPR Article 22. A qualified solicitor and/or medical professional reviews and verifies findings before any case decision is made.
Certifications and roadmap
What's in place and what's next.
ICO registration
Registered with the UK Information Commissioner's Office. Reference provided in the DPA on request.
Cyber Essentials
On the security roadmap for the next 12 months.
Cyber Essentials Plus
On the security roadmap following Cyber Essentials certification.
ISO 27001 / SOC 2
Being evaluated for formal certification as the customer base grows. Mapped controls and policies are available under NDA in the meantime.
Resilience and disaster recovery
Backups, restore testing, and recovery objectives.
Backups
Encrypted, automated backups taken daily and stored in a separate European region.
Restore testing
Restore tests performed periodically to verify backup integrity.
RTO / RPO
Target Recovery Time Objective: 24 hours. Target Recovery Point Objective: 24 hours. Detail in the DPA on request.
Multi-region failover
Application infrastructure is recoverable into a separate European region in the event of a primary region outage.
Vulnerability management
Testing cadence and responsible disclosure.
Penetration testing
Annual third-party penetration testing of the production environment.
Vulnerability scanning
Continuous dependency and container scanning in CI; production scanning on a defined cadence.
Responsible disclosure
Report suspected vulnerabilities to security@medcase.ai. We respond within 2 working days and coordinate remediation in good faith.
ICO registration
Registered with the UK ICO.
The current registration reference is provided in our DPA and on request from hello@medcase.ai.
Incident response
Aligned to Article 33 timelines.
We follow a documented incident response process. Notification timelines align with UK GDPR Article 33 (without undue delay and, where feasible, within 72 hours of awareness). Report suspected incidents to hello@medcase.ai.
Contact
DPO-equivalent and procurement contact.
For DPA requests, DPIA support, subprocessor information, ICO references, security questionnaires, or vulnerability disclosure.
MedCase has appointed an internal data-protection lead reachable at privacy@medcase.ai. A formal DPO can be appointed on request for enterprise customers under DPA.
FAQ
Trust Centre FAQ
Is a Data Processing Agreement (DPA) available?
Are customer medical records used to train AI models?
Where is data hosted?
What is the default data retention period?
How is incident response handled?
Need a DPA or InfoSec review?
Mail hello@medcase.ai and we'll send the DPA, subprocessor list, and questionnaire pack within one working day.