Security & compliance

Clinical-grade trust, by design.

ClinixCue listens to sensitive patient conversations — so security isn't a feature, it's the foundation. EU-only infrastructure, GDPR and special-category compliance, and a strict no-retention policy on call audio.

GDPR aligned
Art. 9 special category
EU data residency
Encrypted end-to-end
No audio retention
The foundation

Four commitments we don't compromise on.

Every one is built into the architecture — not bolted on after the fact.

Regulation

GDPR & UK GDPR compliant

ClinixCue is built around the EU General Data Protection Regulation and the UK GDPR — lawful basis, data-subject rights, and data-protection-by-design at the core.

  • Clear lawful basis & Data Processing Agreement
  • Subject access, rectification & erasure honoured
  • Data Protection Impact Assessment on file
Article 9

Special-category health data

Patient health information is “special category” data under GDPR Article 9. We treat every call accordingly — with explicit safeguards, minimisation, and strict purpose limitation.

  • Processed only to coach & score the live call
  • Data minimisation — only what the cue needs
  • Never used to train shared or third-party models
Residency

EU compliance & data residency

All processing and storage happens within the European Union. Your patients' data never leaves the region, and our sub-processors are held to the same standard.

  • Hosted in EU regions (Ireland & Frankfurt)
  • No transfers outside the EEA
  • Vetted, EU-based sub-processors only
Retention

No call-audio retention

We don't keep recordings. Call audio is processed transiently to generate cues and a score, then permanently discarded. What remains is the structured outcome — never the raw voice.

  • Audio never written to long-term storage
  • Transient processing in memory only
  • Only the QA score & compliance flags persist
Data lifecycle

The audio is gone before the call is.

ClinixCue listens just long enough to help. The voice stream is processed in memory to produce a cue and a score — then purged. Nothing is recorded, nothing is warehoused, nothing is left to leak.

Watch a call move through the pipeline →

Live call · data pipelineprocessing
Live audio
in memory
Analyse
cue + score
Keep result
score only
Purge
permanent
Raw audio is discarded within seconds — only the structured QA score & compliance flags are stored.
In detail

The compliance register.

Plain-English answers to what your Data Protection Officer will ask.

GDPR · Art. 6 & 28

Lawful basis & processor role

ClinixCue acts as a data processor on behalf of your practice (the controller), under a signed Data Processing Agreement. Processing rests on your lawful basis for managing patient care and legitimate interests in service quality.
GDPR · Art. 9

Special-category safeguards

Health data receives Article 9 protections: explicit safeguards, strict purpose limitation to live coaching and QA, data minimisation, and no use of patient content to train shared models.
EU · residency

Where data lives

All storage and processing occurs within the EU (Ireland & Frankfurt regions). There are no transfers outside the EEA, and all sub-processors are EU-based and contractually bound to equivalent terms.
Retention

No audio retention

Call audio is processed transiently in memory and never written to durable storage. Only the resulting QA score and compliance flags persist. Practices can export or delete their structured data at any time.
Rights

Data-subject requests

We support access, rectification, and erasure requests routed through your practice, with defined SLAs. Because audio isn't retained, the erasure surface is intentionally tiny.
Security infrastructure

Hardened, end to end.

Defence in depth across the stack, monitored continuously.

Encryption everywhere

TLS 1.3 in transit and AES-256 at rest. Keys managed in a hardware security module with strict rotation.

Least-privilege access

Role-based access control, SSO, and mandatory MFA. Every access to data is logged and auditable.

Continuous monitoring

Real-time intrusion detection, anomaly alerting, and centralised, tamper-evident audit logging.

Isolated tenancy

Logical isolation between practices, with segmented networks and per-tenant access boundaries.

Tested & assured

Independent penetration testing, secure SDLC, and vulnerability management with defined remediation SLAs.

Resilience & recovery

EU-region redundancy, encrypted backups of structured data, and a tested incident-response plan.

Questions

What teams ask us most.

Do you record our patient calls?

No. Call audio is processed transiently to generate cues and a score, then permanently discarded. We never write recordings to durable storage.

Could our patients' data ever leave the EU?

No. All processing and storage stays within EU regions, and every sub-processor is EU-based and contractually bound to the same residency terms.

Do you use our calls to train your AI?

No patient content is used to train shared or third-party models. Special-category health data is strictly purpose-limited to coaching and scoring the live call.

Are you a controller or a processor?

A processor. Your practice remains the data controller; we process on your behalf under a Data Processing Agreement, with you in control of data-subject requests.

Can we get the documentation for our DPO?

Yes — DPA, sub-processor list, DPIA support, and our security overview are available on request. Just ask your account contact.

Talk to us

Bring your security team. We'll bring the answers.

Get our full security overview and DPA, or walk through the architecture with our team.

Request security pack → About ClinixCue