Security Center

Aduvera has Google Cloud's Cloud Data Processing Addendum and Google Cloud HIPAA Business Associate Addendum in place for the infrastructure supporting the service. That provides an important contractual foundation for HIPAA-governed workloads.

Aduvera does not treat that upstream BAA alone as a blanket statement that every customer deployment is automatically HIPAA-compliant. Actual compliance still depends on the workflow, customer configuration, access controls, workforce practices, minimum-necessary use, retention settings, and whether Aduvera and the customer have executed a separate customer BAA where required.

For customers outside the US and for customers processing ordinary business personal data, the main legal framework is Aduvera's Terms of Service, Privacy Policy, and, where applicable, DPA. US HIPAA customers should also review the BAA.

• Authenticated backend access for consultation, transcription, and generation APIs.
• User-scoped consultation reads and writes enforced server-side.
• Audit events for access, mutation, generation, deletion, and purge actions.
• Production protections against unsafe full-payload LLM logging.
• Security headers including CSP, HSTS, anti-framing, and nosniff.
• Database connections default to TLS in production over TCP.

Temporary uploaded audio is deleted after successful transcription by default. Persisted consultation records are retained for up to 30 days after the last update, then soft-deleted and queued for permanent purge. Final hard deletion occurs after an additional 7-day grace period unless a legal hold applies.

Aduvera's public retention statements are intended to remain aligned with its operating controls and documented retention procedures.

Aduvera uses Google Vertex AI to transcribe visits, generate draft documentation, and retrieve transcript-backed note citations. Aduvera does not sell customer data, does not use customer data for advertising, and does not use customer data to train a proprietary Aduvera model.

Customer prompts, transcripts, and outputs are processed only to provide the requested service workflow. Google documents that customer data sent to Vertex AI is not used to train or fine-tune Google foundation models without customer permission or instruction.

Aduvera's legal documents are written for customers inside and outside the United States. For EEA, UK, and Swiss customers, Aduvera's DPA is drafted to address processor terms and cross-border transfer language, including SCC-based transfer terms and UK addendum support where applicable.

If Aduvera actively markets into the EU or UK without an establishment there, Aduvera should separately confirm whether Article 27 representative obligations apply.

Aduvera currently uses the following categories of subprocessors:

• Google Cloud Run, Cloud SQL for PostgreSQL, Cloud Storage: Application hosting, authenticated API delivery, consultation persistence, and temporary audio object storage.
• Vertex AI Gemini and Vertex embeddings: Transcription, note generation, patient-summary generation, pre-visit preparation, light patient-name extraction, and transcript citation retrieval.
• Firebase Authentication / Google Cloud Identity Platform: User authentication, session establishment, and sign-in support for Google and email magic-link workflows.
• Cloud Logging and Cloud Monitoring: Operational logging, request tracing, rate-limit visibility, and incident-response support.

The full vendor table is published on the Subprocessors page.

Customers can request legal and security documents, including the DPA and current subprocessor list, by contacting [email protected] or [email protected].

Aduvera reviews covered-service scope and makes customer BAA terms available for eligible US healthcare customers that require HIPAA contractual coverage.