Trust & Compliance
Built for regulated healthcare.
Health data is the most sensitive data there is, and we treat it that way. Every framework below has a dedicated page written for compliance and procurement review, with documentation available on request.
GDPR
Desha.ai processes personal and health data in line with the EU GDPR (2016/679) and the UK GDPR / Data Protection Act 2018. Processing is consent-governed and purpose-limited, data subjects can exercise their rights at any time, and we operate as a processor under Article 28 terms for our healthcare customers.
HIPAA
Desha.ai supports HIPAA-ready workflows for US covered entities and their business associates. We will sign a Business Associate Agreement (BAA), apply the Security Rule’s administrative, physical and technical safeguards to Protected Health Information (PHI), and honour the minimum-necessary and breach-notification requirements. (HIPAA has no government “certification”; conformance is demonstrated through the BAA and our control attestations.)
NHS DSP Toolkit
For engagements that touch NHS patient data, Desha.ai aligns to the Data Security and Protection (DSP) Toolkit, the annual self-assessment against the National Data Guardian’s ten data-security standards. Our controls are designed to meet the “Standards Met” threshold.
ISO 27001
Desha.ai operates an information-security programme aligned to the ISO/IEC 27001:2022 control set (Annex A) and a risk-based Information Security Management System (ISMS). Formal certification is on our roadmap; today we map our controls to the standard and can share that mapping.
End-to-End Encryption
All Desha.ai data is encrypted in transit and at rest. Sensitive health and identity fields receive additional protection, and cryptographic keys are managed through a controlled lifecycle.
Zero-PII Storage
Desha.ai is built on data minimisation. Directly identifying information is segregated from health data, tokenised wherever possible, kept out of logs and analytics, and never used to train third-party models. We call this our Zero-PII principle: the analytics, monitoring and model layers operate on de-identified data.
SOC 2 Type II
Desha.ai is working toward a SOC 2 Type II report against the AICPA Trust Services Criteria. Our control environment is in place; a Type II report attests that those controls operate effectively over an observation period, which is underway. We will publish the report’s availability here when complete.
HL7 FHIR R4
Desha.ai represents clinical data using HL7 FHIR Release 4, the modern healthcare interoperability standard, so patient records, medications and adherence can be exchanged cleanly with EHRs and partner systems, and patients can export their data in a portable, machine-readable form.
These pages summarise Desha.ai’s posture for due-diligence review. They are informational, do not disclose internal systems, and are not a warranty or legal advice. Contractual terms are provided in our DPA / BAA.
