We anonymise your data across three layers — in your browser, on our European backend and with an AI review — before any processing. Your intellectual property and your customers' information never leave your control.
Transparency isn't an add-on. It's how we build.
The retention policy is configurable in the contract. By default, anonymised requests are kept for a bounded period. You can request zero retention or extended retention depending on your use case.
We use pre-trained models from Azure OpenAI (European region). Your data is used exclusively to generate responses for you. It is never part of the training of any model, neither Microsoft's nor ours.
We don't resell access, don't partner with external analytics platforms, don't send data outside the strict technical processing circle.
Our team can access operational logs (errors, performance), but NEVER the actual content of requests.
Three layers of anonymisation and one configurable persistence. Every step is designed so your sensitive data never leaves your control.
A layer of JavaScript code runs in your browser and applies deterministic rules to detect and replace sensitive patterns (IDs, names, clinical data, etc.) before the data leaves your device. This layer is auditable: you can inspect exactly what it detects and how it replaces.
When the data reaches our backend (on Azure, European region), we apply a second pass of deterministic anonymisation in code. It's a double validation that guarantees no sensitive pattern has slipped through the first layer. If we detect inconsistencies, the process stops.
A GPT mini instance on our European Azure OpenAI Service reviews the result of the anonymisation, identifying possible patterns that the deterministic rules haven't caught (indirect references, ambiguous contexts). It's a safety net that combines algorithmic rigour with contextual judgement.
The retention policy is yours. By default, anonymised requests are kept for the period defined in the contract. You decide whether you want zero retention, standard retention or extended retention according to your use case.
Current standard configuration. Some tailor-made implementations may have minor variations.
We operate on infrastructure with the same certifications required by the Spanish public sector.
We operate on Azure, certified ENS High by Spain's Ministry of Finance and Civil Service. This certification is the maximum security level required for systems handling critical data of the Spanish public sector.
We comply with the European General Data Protection Regulation. All processing follows the principles of minimisation, purpose limitation, and GDPR data subject rights.
Our Azure infrastructure complies with ISO 27001 (information security management). Compliance is renewed annually by Microsoft.
All services are deployed on Azure West Europe and European Azure OpenAI Service. No client data ever leaves European territory, without exceptions.
The questions we regularly receive from CTOs, DPOs and security officers.
We assess your current situation and deliver a 1-2 page report with concrete recommendations. No commitment.