Compliance Documentation
Aqta's approach to healthcare and regulatory compliance.
Overview
Aqta is designed for compliance with:
- ✅ HIPAA (Health Insurance Portability and Accountability Act)
- ✅ GDPR (General Data Protection Regulation)
- ✅ EU AI Act (High-Risk AI Systems)
- ✅ SOC 2 Type II (in progress)
Compliance Features
HIPAA Compliance
Healthcare data protection
- PHI handling
- Encryption standards
- Access controls
- Audit trails
- BAA availability
GDPR Compliance
EU data protection
- Data minimization
- Right to access
- Right to erasure
- Data portability
- Consent management
EU AI Act
High-risk AI system requirements
- Transparency requirements
- Human oversight
- Bias monitoring
- Documentation
- Conformity assessment
Data Retention
Configurable retention policies
- Standard: 30 days
- Pro: 90 days
- Healthcare: 7 years
- Custom: Configurable
Audit Logs
Immutable audit trails
- Request logging
- Access logs
- Change logs
- Export capabilities
EU Hosting
Data residency options
- EU-only data storage
- Regional routing
- GDPR compliance
- Latency optimisation
Certifications
Current
- ✅ GDPR Compliant
- ✅ HIPAA Ready (BAA available)
- ✅ EU AI Act Aligned
In Progress
- 🔄 SOC 2 Type II (Q2 2026)
- 🔄 ISO 27001 (Q3 2026)
- 🔄 HITRUST (Q4 2026)
Healthcare Compliance
HIPAA Requirements
Technical Safeguards
- ✅ Encryption at rest (AES-256)
- ✅ Encryption in transit (TLS 1.3)
- ✅ Access controls (RBAC)
- ✅ Audit logging (immutable)
- ✅ Automatic logoff
- ✅ Emergency access
Administrative Safeguards
- ✅ Security management process
- ✅ Workforce training
- ✅ Incident response plan
- ✅ Business associate agreements
- ✅ Risk assessments
Physical Safeguards
- ✅ Facility access controls (AWS/GCP)
- ✅ Workstation security
- ✅ Device and media controls
BAA (Business Associate Agreement)
Healthcare customers receive a BAA covering:
- Aqta's responsibilities as a business associate
- Permitted uses and disclosures of PHI
- Security safeguards
- Breach notification procedures
- Termination provisions
Contact hello@aqta.ai to request a BAA.
GDPR Compliance
Data Processing
What we collect:
- Request metadata (timestamp, model, tokens)
- Cost and performance metrics
- User account information
- API usage statistics
What we DON'T collect:
- Prompt content (unless explicitly enabled)
- Response content (unless explicitly enabled)
- Personal identifiable information
- Sensitive personal data
User Rights
Right to Access
- Export all your data via Settings → Export
- API endpoint:
GET /api/settings/export
Right to Erasure
- Delete account via Settings → Delete Account
- All data removed within 30 days
Right to Portability
- Export data in JSON/CSV format
- Compatible with other platforms
Right to Object
- Opt out of analytics
- Disable non-essential processing
Legal Basis
- Contract: Processing necessary for service delivery
- Legitimate Interest: Fraud prevention, security
- Consent: Optional features (analytics, marketing)
EU AI Act Compliance
High-Risk Classification
Aqta Healthcare is classified as a high-risk AI system under:
- Annex III, Point 5(b): AI for healthcare diagnosis/treatment
Requirements Met
Transparency
- ✅ Medical receipts for all decisions
- ✅ Explanation of AI reasoning
- ✅ Patient access to records
Human Oversight
- ✅ Human-in-the-loop workflows
- ✅ Clinician review for high-risk cases
- ✅ Override capabilities
Accuracy & Robustness
- ✅ Bias detection and monitoring
- ✅ Performance metrics tracking
- ✅ Regular model evaluation
Data Governance
- ✅ Training data documentation
- ✅ Data quality measures
- ✅ Bias mitigation strategies
Documentation
- ✅ Technical documentation
- ✅ Instructions for use
- ✅ Conformity assessment
Audit & Reporting
Automated Reports
Quarterly Compliance Report
- Request volume and patterns
- Bias detection statistics
- HITL intervention rates
- Data retention compliance
- Access log summary
Annual Transparency Report
- System performance metrics
- Bias mitigation efforts
- Incident summary
- Compliance updates
On-Demand Exports
# Export audit logs GET /api/compliance/audit-logs?start=2026-01-01&end=2026-01-31 # Export medical receipts GET /api/health/receipts/export?format=pdf # Export user data GET /api/settings/export
Incident Response
Breach Notification
Timeline:
- Detection: Real-time monitoring
- Assessment: Within 24 hours
- Notification: Within 72 hours (GDPR)
- Remediation: Immediate
Process:
- Detect potential breach
- Contain and assess impact
- Notify affected parties
- Report to authorities (if required)
- Implement corrective measures
- Document and review
Contact
All Enquiries: hello@aqta.ai
Third-Party Audits
We work with:
- Security auditors for SOC 2
- Healthcare compliance consultants
- Privacy law firms
- Penetration testing firms
Documentation
All compliance documentation available:
- Security Whitepaper
- Privacy Policy
- Terms of Service
- Data Processing Agreement
- Business Associate Agreement
Support
Healthcare and compliance customers get:
- Dedicated compliance support
- Quarterly compliance reviews
- Audit assistance
- Documentation support
- Regulatory update notifications
Contact: hello@aqta.ai
Resources:
- Documentation - Complete documentation
- Security Page - Security overview