SECURITY
Information security and compliance
Edith Care - AI for human-centered, high-stakes assessments
Version 2.0 · 2026-03-31
Summary
We understand that healthcare handles some of society's most sensitive information. Information security and compliance have therefore been core design principles from day one.
Edith Care is documentation support, not an electronic health record system and not a medical device. Clinical content remains draft material until a licensed psychologist reviews and approves it.
OUR CORE SECURITY PROMISES
- •All patient data is stored and processed in Azure Sweden Central
- •All information is encrypted at rest and in transit
- •Full traceability through access logging
- •AI summarizes and suggests only
- •Compliance with Swedish healthcare data law, GDPR and applicable regulations
- •Prepared for the EU AI Act
01
Compliance
Edith Care is designed to help care providers meet relevant rules for personal data processing in healthcare.
Healthcare data law and GDPR
- •Processing is performed on behalf of the care provider with Edith Care as processor
- •Individual user accounts and role-based permissions
- •All access to patient data is logged automatically
- •Patient data is used only for documentation support
AI Act and medical device position
- •The system makes no clinical decisions and performs no diagnosis
- •AI-generated content is clearly marked as suggestions
- •All clinical assessments are made by licensed healthcare professionals
- •Technical documentation and risk management are maintained continuously
02
Data protection and encryption
Encryption
| Protection | Standard | Description |
|---|---|---|
| Storage | AES-256 | Industry standard for sensitive data |
| Transfer | TLS 1.3 | Modern secure transport encryption |
| Key management | Azure Key Vault | Dedicated key management with strict access control |
| Audio files | AES-256 + deletion | Encrypted during processing and deleted after transcription |
Access control
- •Strong authentication with multi-factor authentication
- •Users only see data for their own patients
- •No shared accounts are allowed
- •Automatic logout after inactivity
03
Traceability, incidents and suppliers
- •Logs are protected against tampering and contain metadata only
- •Personal data incidents follow established routines
- •Care providers are informed about incidents within 24 hours
- •All persistent storage and AI processing happens in Azure Sweden Central
- •Sub-processors are bound by data processing agreements and bans on model training with customer data