Privacy Notice

Docrates.ai is HIPAA compliant. Your personal information remains private and secure. All data is encrypted in transit and at rest. Docrates AI HIPAA compliance is foundational. This includes governance, evidence, observability, access control, encryption key management, audit logging, least-privilege identity architecture, multi-factor authentication, secure configuration management, and documented operational controls. Administrative, technical, and physical safeguards are implemented to align with HIPAA Security Rule requirements, with continuous monitoring and logging to support accountability and audit readiness. Data handling processes are designed to minimize exposure, restrict access, and ensure that protected health information is processed, stored, and transmitted securely at every stage of the application lifecycle.

All Personally Identifiable Information (PII) and Protected Health Information (PHI) are removed from uploaded files in memory using Google Cloud Sensitive Data Protection (DLP) before any content is submitted to the AI model. Analysis result files are encrypted prior to storage and maintained within encrypted cloud storage in accordance with the service’s data retention and destruction policy. Limited Personally Identifiable Information (PII), including user ID, email address, and phone number, is collected during authentication and securely stored within Google Identity Platform for identity verification purposes. Authentication and application events are logged to Google Cloud Logging to support operational monitoring and audit requirements.

Docrates AI runs on Google Cloud Platform (GCP)

• Google Gemini LLM.
• Cloud Run (serverless, stateless compute).
• Cloud Storage (encrypted storage for datalake, configurations, logs, prompts).
• Secret Manager (secure storage for encryption keys).
• Cloud Logging (observability and audit trails).
• Sensitive Data Protection (DLP) for PII redaction).
• Identity & Access Management (least-privilege service accounts and permissions).
• Identity Platform (authentication, MFA, provider configuration).
• Firebase Authentication Client SDK (MFA as part of Identity Platform).

Data Protection

• All data transmission occurs over HTTPS.
• Cloud Run is stateless and does not persist data.
• Uploaded files are processed in memory; PII is removed using Google DLP before any content is submitted to the AI model.
• Analysis results are encrypted before being stored in Cloud Storage, using encryption keys held in Secret Manager.
• Encrypted results stored in Cloud Storage can only be decrypted by the application with the associated encryption key.
• The application reads encrypted result files to display output or generate downloadable PDFs.
• All application activity is logged through Cloud Logging for audit and operational monitoring.
• No PII from uploaded files or analysis results is ever logged.

Security

• Access to the authentication flow requires an ACL passcode to prevent unauthorized entry.
• MFA (multi-factor authentication) is used to verify user identity.
• Identity Platform securely stores user emails and phone numbers.
• Firebase Authentication Client SDK, integrated with Identity Platform, handles MFA processing.

The software infrastructure is subject to change.