Security Center

Aduvera has Google Cloud's Cloud Data Processing Addendum and Google Cloud HIPAA Business Associate Addendum in place for the infrastructure supporting the service. That provides an important contractual foundation for HIPAA-governed workloads.

Aduvera does not treat that upstream BAA alone as a blanket statement that every customer deployment is automatically HIPAA-compliant. Actual compliance still depends on the workflow, customer configuration, access controls, workforce practices, minimum-necessary use, retention settings, and whether Aduvera's BAA applies to the customer relationship and workflow.

Not every workflow has the same downstream data path. Aduvera's core documentation features run within Aduvera's hosted stack, while some literature and evidence features also retrieve content from public biomedical or regulatory sources.

For customers outside the U.S. and for customers processing ordinary business personal data, the main legal framework is Aduvera's Terms of Service, Privacy Policy, and, where applicable, DPA. U.S. HIPAA customers should also review the BAA.

• Authenticated backend access for consultation, transcription, and generation APIs.
• User-scoped consultation reads and writes enforced server-side.
• Audit events for access, mutation, generation, deletion, and purge actions.
• Production protections against unsafe full-payload LLM logging.
• Security headers including CSP, HSTS, anti-framing, and nosniff.
• Database connections default to TLS in production over TCP.

Temporary uploaded audio is deleted after successful transcription by default. Persisted consultation records are retained for up to 30 days after the last update, then soft-deleted and queued for permanent purge. Final hard deletion occurs after an additional 7-day grace period unless a legal hold applies.

Aduvera uses Google Vertex AI to transcribe visits, generate draft documentation, plan literature searches, generate evidence answers, and retrieve transcript-backed note citations. Aduvera does not sell customer data, does not use customer data for advertising, and does not use customer data to train a proprietary Aduvera model.

Customer prompts, transcripts, literature questions, and outputs are processed only to provide the requested service workflow. Google documents that customer data sent to Vertex AI is not used to train or fine-tune Google foundation models without customer permission or instruction.

Aduvera's literature workflow may send user questions or derived search queries to public biomedical and regulatory services such as Europe PMC, PubMed, Crossref, OpenAlex, and openFDA in order to retrieve references and source metadata. Those services are outside Aduvera's hosted application environment and may maintain their own logs and request handling practices.

For that reason, customers should avoid unnecessary direct identifiers in literature queries and should evaluate whether the evidence workflow is appropriate for identifiable data under their own privacy, HIPAA, and procurement requirements.

Aduvera's literature answers are intended as a research aid, not as a substitute for reviewing the underlying sources, current guidelines, or current product labeling.

Aduvera's legal documents are written for customers inside and outside the United States. For EEA customers, including Germany, France, Italy, Spain, and the Netherlands, as well as UK and Swiss customers, Aduvera's DPA is drafted to address processor terms and cross-border transfer language, including SCC-based transfer terms and UK addendum support where applicable.

Customers outside the U.S. healthcare HIPAA context often need a clearer procurement and privacy review path than a single HIPAA statement. Aduvera publishes public security, privacy, retention, AI data-use, and subprocessor disclosures so customers can evaluate the service on processor, transfer, and vendor-management grounds as well.

Aduvera currently uses the following categories of subprocessors:

• Google Cloud Run, Cloud SQL for PostgreSQL, Cloud Storage: Application hosting, authenticated API delivery, consultation and literature-workspace persistence, and temporary audio object storage.
• Vertex AI Gemini and Vertex embeddings: Transcription, note generation, literature-answer generation, literature query planning, patient-summary generation, pre-visit preparation, light patient-name extraction, and transcript citation retrieval.
• Firebase Authentication / Google Cloud Identity Platform: User authentication, session establishment, and sign-in support for Google and email-code workflows.
• Cloud Logging and Cloud Monitoring: Operational logging, request tracing, rate-limit visibility, and incident-response support.

Customers can request legal and security documents, including the DPA and current subprocessor list, by contacting the address below.

Aduvera's BAA applies automatically for U.S. healthcare customers where HIPAA requires contractual coverage for PHI workflows under the Terms.

legal [at] aduvera.ai