~Security & compliance

Patient trust is the product.

Built with PHI-aware safeguards: encrypted storage, row-level access controls, data minimization for AI features, and written vendor agreements before production patient use.

01 · The headline commitment

Data minimization before AI features.

AI features are limited to demo or de-identified data until vendor data-processing and retention terms are finalized. Where AI is used, we minimize inputs first and keep source facts separate from generated narration.

Patient record
  • Name · Maya R.
  • DOB · 1984-03-12
  • MRN · GS-4821
  • Glucose · 138 mg/dL
  • Steps · 4,210
Identifiers stripped

Before anything leaves our pipeline.

AI input · minimized
  • ✓ No name
  • ✓ No DOB
  • ✓ No MRN
  • Glucose · 138 mg/dL
  • Steps · 4,210

02 · How we handle PHI

The rest of our commitments.

Written agreement before real patient data

Before any real patient data is used, we put a written data protection agreement in place. You remain the health information custodian; GlucoSolutions processes patient information only on your instructions.

AI terms before production PHI use

AI features are limited to demo or de-identified data until our vendor data-processing and retention terms are finalized.

Encryption & access controls

Patient data is protected with encrypted transport and encrypted cloud storage. Access is restricted by authenticated accounts and database row-level security so dietitians only see linked clients.

Data residency

We document where patient data is hosted and disclose hosting regions before onboarding. We do not make data-residency claims unless they are contractually and technically confirmed.

Subprocessors

We maintain a current list of subprocessors, including hosting, authentication, email, analytics, and AI providers, and make it available during diligence.

What we don't do yet.

We're early, and we'd rather tell you than let you assume. Formal certifications and compliance labels are not in place yet. We do not claim HIPAA, PHIPA, or SOC 2 compliance until the underlying agreements, retention policies, incident process, and audit logging are nailed down.