Data hosted in country. Privacy law aligned.

In-country data hosting

Customer data is hosted in the customer's jurisdiction. Each deployment is a per-tenant Google Cloud environment (Firebase Hosting, Cloud Run, Firebase Authentication) provisioned by Terraform in the region closest to the customer's regulator: US (us-central1 / us-east1 / us-west1), Australia and New Zealand (australia-southeast1, Sydney), UK (europe-west2, London), EU (europe-west3, Frankfurt), Canada (northamerica-northeast1, Montreal). Patient data does not leave the customer's region. No data is co-mingled across tenants.

Privacy-law alignment

Engineering, hosting, and access controls are aligned to the privacy law governing the customer: HIPAA in the US, the Australian Privacy Principles and the Notifiable Data Breaches scheme in Australia, the Privacy Act 2020 in New Zealand, the UK GDPR and Data Protection Act 2018 in the UK, the GDPR in the EU, and PIPEDA in Canada (with Quebec Law 25 where applicable). Customer-side compliance artefacts (security questionnaire, risk-assessment evidence, sub-processor disclosures) are completed on the timeline the customer requires.

Data agreement

Aescia is pre-first-customer and does not have signed data agreements in place today. Before any patient data is collected, transmitted, or stored for a customer, the relevant agreement is put in place: a Business Associate Agreement under HIPAA, a Data Processing Agreement under the GDPR, an APP-equivalent agreement under the Australian Privacy Principles, and the equivalent under PIPEDA and the Privacy Act 2020. Email contact@aesciahealth.com to start that, stating the jurisdiction.

SOC 2

Aescia does not currently hold a SOC 2 attestation. The SOC 2 Type I path is scheduled to open alongside the first US design-partner contract, with the audit window committed in writing to that customer. Type II follows on the next twelve-month observation period. Compliance and cybersecurity is owned internally by Josh Casey.

Breach notification

Aescia notifies affected customers without unreasonable delay, and in no event later than the strictest applicable regulatory window: 60 days under HIPAA, 72 hours under the GDPR / UK GDPR, the eligible-breach timeline under the Australian Notifiable Data Breaches scheme, and the equivalent under PIPEDA and the Privacy Act 2020. A shorter customer-facing window is negotiable in the data agreement on request (typically 24 to 72 hours for confirmed incidents). Notification covers what was accessed, when, by whom, and the remediation taken.

Data ownership

The customer owns its data. Aescia does not use customer patient data, or de-identified derivatives of it, for product training, marketing analytics, or third-party benchmarking without written, customer-specific consent. On contract exit, customer data is exported in a usable, structured format (JSON and CSV) within 30 days, and Aescia-side copies are destroyed on a documented schedule.

Sub-processors

The vendors Aescia relies on to deliver the service are listed in full below. New sub-processors are disclosed in writing before deployment, with a 30-day customer right-of-objection encoded in the data agreement.

Encryption and access

TLS 1.3 in transit and AES-256 at rest. Role-based access control with an audit trail. Database-level tenant isolation. Multi-factor authentication is enforced on all staff accounts. Cyber insurance (Chubb Cyber ERM) is being arranged.

Software lifecycle

IEC 62304:2006+A1:2015 software lifecycle processes are implemented and documented for the regulated Hospitals product. ISO/IEC 27001:2022 controls are implemented for both products. ISO 13485:2016 implementation is underway with certification targeted in 2026. No third-party conformity assessment has been undertaken; no certifications are currently held.

Penetration testing

Aescia has not yet commissioned an independent third-party penetration test. One is planned ahead of the first production customer, and the report will be made available to that customer under mutual NDA.

Exit terms in writing.

Notice

Month-to-month after the initial pilot. 30-day written notice ends the contract.

Data export

Customer data exported in JSON and CSV within 30 days of termination. No PDF dumps.

Aescia copies

Aescia-side copies destroyed on a documented schedule after export confirmation. Certificate of destruction issued.

Pathway content

Pathways co-authored with the customer are returned in a structured, re-deployable format. The clinician who authored the rule set retains attribution and re-use rights.

Pricing

No early-termination fee in the design-partner program. See the design-partner page for full commercial terms.