Confiance & conformité, sans détour
Construit sur un socle de
Chiffrement par défaut. Résidence des données dans l'UE. Chaîne d'audit infalsifiable. BAA disponible avant PHI.

Trust Center

Security, compliance, and transparency  ·  security@chirovault.ai

ChiroVault is built for healthcare environments where patient data, clinical accountability, and regulatory compliance are non-negotiable. This page documents our security architecture, our current compliance posture, and an honest roadmap toward formal third-party certifications.

What "designed to" and "aligned with" mean here

We are not yet third-party certified under ISO 27001 or NEN 7510. Those certifications require 12–18 months of audited operation. We have designed and implemented the controls these standards require, and we are actively working toward formal certification. We label each item below with its actual status so procurement teams can assess accurately.

Compliance Posture

GDPR / AVG Framework implemented. GDPR-aligned controller/processor structure in place. Data processing agreements (DPA) on the compliance roadmap — contact us to discuss your requirements.
HIPAA — BAA Available HIPAA-aligned technical safeguards for covered entities (TLS 1.3, AES-256, audit logs, RLS). BAA execution on the roadmap — contact us to discuss your requirements. See HIPAA page.
ISO 27001 — In Progress Security management controls aligned to ISO/IEC 27001:2022. Risk register, access governance, incident handling, and logging implemented. Formal certification audit targeted for 2026–2027.
NEN 7510 / 7512 / 7513 Dutch healthcare information security standards. Architecture and access controls designed to NEN 7510 requirements. NEN assessment planned for 2027. Current controls documented and available for review.
WGBO Workflows designed to support patient rights, informed consent, 20-year record retention, and practitioner accountability obligations under Dutch medical treatment law.
SOC 2 Type II — Planned SOC 2 Type II audit planned as customer base grows. Enterprise customers can request our current security questionnaire and control evidence in the interim.

Technical Security Controls

The following controls are operationally implemented. They can be verified through our security questionnaire and, for enterprise customers, through direct technical review.

  • Encryption in transit: TLS 1.3 enforced on all endpoints.
  • Encryption at rest: AES-256 for all stored data including backups.
  • Row-Level Security (RLS): tenant isolation enforced at the database layer. No cross-clinic data access is architecturally possible through the application.
  • Tamper-evident audit log chain: SHA-256 hash-linked append-only ledger for all PHI access, modifications, approvals, and exports.
  • Role-based access control: least-privilege model with distinct roles for owners, chiropractors, assistants, and support.
  • Session management: automatic timeout on inactivity; single-session enforcement available.
  • Passkey / FIDO2 authentication: passwordless biometric login supported.
  • Break-glass emergency access: elevated access for support requires dual authorisation, is logged, and triggers notifications.
  • Automated encrypted backups with point-in-time recovery.
  • AI PHI policy: patient data is never sent to AI providers without scrubbing or explicit clinician consent. AI outputs require clinician review before entering the record.

AI and Patient Data

How AI interacts with patient data is the question most healthcare procurement teams ask first. Here is a direct answer.

Is patient data used to train AI models?
No. Patient data is never used to train any AI model — ours or any third party's — without explicit, documented consent from the data controller (the practice).
What is sent to external AI providers (OpenAI, Gemini, etc.)?
AI drafting requests route through a PHI scrubbing layer before any content leaves ChiroVault infrastructure. Direct identifiers are replaced with clinical tokens. The practice can configure AI routing and choose which providers are enabled. A DPA or equivalent contractual review covers each provider before it is enabled for applicable workflows.
Can clinicians see what the AI used to generate a draft?
Yes. The AI console shows which data context was used, which model was called, and what the output was, with full audit trail. Uncertain outputs are flagged for closer review before they reach the clinician.
Does AI ever make clinical decisions?
No. Every AI output — SOAP notes, referral letters, radiology report drafts, code suggestions — is a draft that requires clinician review and explicit approval before entering the patient record. The system is designed so that approving a draft requires an intentional action, not a passive default.

Questions Procurement Teams Ask

Where is data stored?
Primary data is stored within the EU/EEA. Supabase (Postgres), Cloudflare Workers, and cloud storage are all EU-region configured. Where any processing involves non-EEA infrastructure, Standard Contractual Clauses (SCCs) are in place.
Can ChiroVault staff read our patient records?
No staff member has routine access to patient data. Support access requires a documented reason, dual authorisation, and is audit-logged with notifications to the practice owner.
What is your incident notification timeline?
We notify affected customers within 72 hours of a confirmed data breach, consistent with GDPR Art. 33. We notify the Autoriteit Persoonsgegevens within the same 72-hour window where required.
Can we export all our data and leave?
Yes. Full data export (patient records, SOAP notes, audit logs, billing history) is available at any time from the platform. After subscription termination, data remains available for 90 days for export, then is securely deleted per our retention policy.
Do you have a Data Processing Agreement?
A DPA (verwerkersovereenkomst) is on our compliance roadmap. Contact privacy@chirovault.ai to request it.
Do you carry out penetration testing?
We conduct internal security reviews continuously. We are scheduling our first formal third-party penetration test; contact security@chirovault.ai for current status. Enterprise customers can request our internal security assessment documentation under NDA.

Certification Roadmap

We believe transparency about where we are in the compliance journey is more useful to buyers than inflated claims. This is our current plan.

Now GDPR/AVG framework operational. HIPAA BAAs available. All technical security controls (TLS 1.3, AES-256, RLS, audit chain) live. DPA execution on the compliance roadmap — contact us.
2026 First formal third-party security assessment. ISO 27001 gap analysis and remediation. Internal audit bundle published for enterprise review.
2026–27 ISO 27001 certification audit. NEN 7510 readiness assessment. Sub-processor list published publicly on this page.
2027+ NEN 7510 certification. SOC 2 Type II audit (subject to customer demand and growth). Continued annual penetration testing.

Sub-processors

A current sub-processor list is available on request. We are working toward publishing it publicly on this page. Sub-processors used for PHI or EU personal data are reviewed for downstream BAA, DPA, or equivalent contractual coverage before being enabled for applicable workflows. Categories of sub-processors currently include: cloud infrastructure, database hosting, AI/LLM providers, email delivery, and payment processing.

Request the sub-processor list: privacy@chirovault.ai

Responsible Disclosure

We follow coordinated disclosure with a 90-day window. If you discover a vulnerability, please report it to security@chirovault.ai or via security.txt. We do not take legal action against good-faith reporters. We review every report and respond within 5 business days.

Status and Uptime

Current service status and incident history: Status Page

We target 99.5% monthly uptime. Scheduled maintenance is communicated at least 48 hours in advance.