MAIA's legal and security layer is co-designed with state attorneys and health-data protection experts. No shortcuts.
Health data processing
MAIA acts as data processor under GDPR (EU 2016/679) and Spain's LOPDGDD. Clinical data always belongs to the clinic or healthcare professional, never to MAIA. A signed Data Processing Agreement (DPA) is in place with every customer.
Data is encrypted at rest with AES-256 and in transit with TLS 1.3. Encryption keys are managed in a dedicated per-tenant KMS. Encrypted daily backups with 35-day retention.
European infrastructure
All infrastructure runs on providers headquartered and processing within the European Union (Frankfurt, Madrid and Ireland). No clinical data leaves the EEA. Auditable logs retained for 12 months.
Primary region
EU-West-1 · Madrid
Disaster recovery
EU-Central · Frankfurt
SLA
99.95% uptime
Responsible AI · EU AI Act
MAIA classifies as a limited-risk AI system under the EU AI Act. Human-in-the-loop applies to every clinical generation: no medical note, prescription or invoice is closed without healthcare-professional validation.
Clinical inference models are not trained on customer data unless explicit opt-in and irreversible anonymization.
Continuous auditing of bias, hallucination and model-decision traceability.
Every generated note includes its source, model and confidence level for clinical review.