Skip to content

Trust & Compliance

Built for regulated healthcare.

Health data is the most sensitive data there is, and we treat it that way. Every framework below has a dedicated page written for compliance and procurement review, with documentation available on request.

Data ProtectionAligned

GDPR

EU & UK General Data Protection Regulation

Desha.ai processes personal and health data in line with the EU GDPR (2016/679) and the UK GDPR / Data Protection Act 2018. Processing is consent-governed and purpose-limited, data subjects can exercise their rights at any time, and we operate as a processor under Article 28 terms for our healthcare customers.

Read the detail
HealthcareReady

HIPAA

US Health Insurance Portability and Accountability Act

Desha.ai supports HIPAA-ready workflows for US covered entities and their business associates. We will sign a Business Associate Agreement (BAA), apply the Security Rule’s administrative, physical and technical safeguards to Protected Health Information (PHI), and honour the minimum-necessary and breach-notification requirements. (HIPAA has no government “certification”; conformance is demonstrated through the BAA and our control attestations.)

Read the detail
HealthcareWorking toward

NHS DSP Toolkit

NHS Data Security and Protection Toolkit

For engagements that touch NHS patient data, Desha.ai aligns to the Data Security and Protection (DSP) Toolkit, the annual self-assessment against the National Data Guardian’s ten data-security standards. Our controls are designed to meet the “Standards Met” threshold.

Read the detail
SecurityAligned to controls

ISO 27001

ISO/IEC 27001 Information Security Management

Desha.ai operates an information-security programme aligned to the ISO/IEC 27001:2022 control set (Annex A) and a risk-based Information Security Management System (ISMS). Formal certification is on our roadmap; today we map our controls to the standard and can share that mapping.

Read the detail
SecurityImplemented

End-to-End Encryption

Encryption in Transit & at Rest (AES-256)

All Desha.ai data is encrypted in transit and at rest. Sensitive health and identity fields receive additional protection, and cryptographic keys are managed through a controlled lifecycle.

Read the detail
Data ProtectionBy design

Zero-PII Storage

Data Minimisation & Zero-PII Analytics

Desha.ai is built on data minimisation. Directly identifying information is segregated from health data, tokenised wherever possible, kept out of logs and analytics, and never used to train third-party models. We call this our Zero-PII principle: the analytics, monitoring and model layers operate on de-identified data.

Read the detail
SecurityIn progress

SOC 2 Type II

AICPA SOC 2 Type II

Desha.ai is working toward a SOC 2 Type II report against the AICPA Trust Services Criteria. Our control environment is in place; a Type II report attests that those controls operate effectively over an observation period, which is underway. We will publish the report’s availability here when complete.

Read the detail
InteroperabilitySupported

HL7 FHIR R4

HL7 FHIR Release 4 Interoperability

Desha.ai represents clinical data using HL7 FHIR Release 4, the modern healthcare interoperability standard, so patient records, medications and adherence can be exchanged cleanly with EHRs and partner systems, and patients can export their data in a portable, machine-readable form.

Read the detail

These pages summarise Desha.ai’s posture for due-diligence review. They are informational, do not disclose internal systems, and are not a warranty or legal advice. Contractual terms are provided in our DPA / BAA.