Maia
Security and compliance

|

MAIA's legal and security layer is co-designed with state attorneys and health-data protection experts. No shortcuts.

Health data processing

MAIA acts as data processor under GDPR (EU 2016/679) and Spain's LOPDGDD. Clinical data always belongs to the clinic or healthcare professional, never to MAIA. A signed Data Processing Agreement (DPA) is in place with every customer.

Data is encrypted at rest with AES-256 and in transit with TLS 1.3. Encryption keys are managed in a dedicated per-tenant KMS. Encrypted daily backups with 35-day retention.

European infrastructure

All infrastructure runs on providers headquartered and processing within the European Union (Frankfurt, Madrid and Ireland). No clinical data leaves the EEA. Auditable logs retained for 12 months.

Primary region
EU-West-1 · Madrid
Disaster recovery
EU-Central · Frankfurt
SLA
99.95% uptime

Responsible AI · EU AI Act

MAIA classifies as a limited-risk AI system under the EU AI Act. Human-in-the-loop applies to every clinical generation: no medical note, prescription or invoice is closed without healthcare-professional validation.

  • Clinical inference models are not trained on customer data unless explicit opt-in and irreversible anonymization.
  • Continuous auditing of bias, hallucination and model-decision traceability.
  • Every generated note includes its source, model and confidence level for clinical review.

Certifications

GDPR · LOPDGDD
Activo

Full compliance · DPO appointed

EU AI Act
Ready

Limited risk · complete technical documentation

PCI-DSS (via Stripe)
Activo

Payment data never stored on MAIA