Privacy & Security

Updated January 21, 2025

This document addresses key concerns that enterprise customers have about deploying our AI assistant, particularly regarding data storage and usage, as well as privacy, security, and compliance. The AI assistant is designed with privacy-by-design principles and AI security best practices in accordance with EU regulations.

1. Where is data stored?

We use only EU-based data centers to provide the service.

  • Norway: Physica and Psykbase Desktop
  • Denmark: EasyPractice, Physica, and Psykbase Web
  • Finland: Diarium
  • AI functionality: AWS and Azure EU data centers

2. Is data processed outside the EU?

No. All data processing, including transcription, enrichment, and AI-generated summaries, takes place within the UK and EEA. No data is sent to the United States or other third countries.

3. Who has access to data?

Only authorized personnel have access to data. All access is logged and monitored.

4. Is patient data used for AI model training?

We do not use our customers' data to train AI models. The AI assistant uses models that have been trained on general, non-customer-specific datasets.

5. What AI models are used?

We use models hosted in AWS EU data centers. For transcription, we also use our own speech recognition models located in the UK and EEA.

6. Is data encrypted?

All data transfers are conducted through secure and encrypted connections. Customers' patient record entries are stored encrypted in secure, state-of-the-art data centers protected by both strong physical and digital security measures.

7. Can data be deleted or exported?

Yes. Therapists can delete or export transcriptions at any time.

8. Are you GDPR-compliant?

Yes. We are fully GDPR-compliant. As a processor acting on behalf of the data controller, we fulfill our key obligations, including:

  • Strong data security: Extensive technical and organizational measures to protect personal data
  • Confidentiality: All authorized employees are bound by strict confidentiality agreements
  • Data breaches: Immediate notification procedures in case of potential breaches
  • Support for GDPR obligations: We help our customers fulfill their duties to data subjects
  • Cooperation with authorities: We cooperate with supervisory authorities

9. Can I get a list of all sub-processors?

Yes. We maintain a transparent sub-processor register of all vendors with access to personal data.

  • All AI-related subcontractors operate in Europe
  • User data is not transferred or processed outside Europe

10. What certifications and standards do you follow?

Our systems and processes are regularly audited by independent parties to ensure the highest level of data security.

Nordhealth is ISO 27001 certified.

11. How is availability and uptime ensured?

We have continuous monitoring that immediately alerts the development team if the platform loads slowly or not at all. Detected outages are handled with the highest priority. All code changes go through automated and manual testing to ensure update stability and service continuity.

12. Who owns the patient data?

The company using the service has exclusive ownership of all their patient data.

13. What happens if we stop using the AI assistant?

Data is deleted after service use ends.

14. Who has ownership and responsibility for patient notes created with the AI assistant?

The therapist is fully responsible for the accuracy and completeness of all patient record entries. While the AI assistant can help create notes, the therapist must review, confirm, and save these entries to the patient record. The AI assistant only assists in the process and does not own the data.

15. Analytics and cookies

We use Google Analytics and HubSpot to analyze website traffic. Google Analytics collects anonymous data such as the number of pages visited, visit duration, and device type used. The data is used to improve our service.

You can prevent Google Analytics data collection by installing the Google Analytics Opt-out browser extension.