Compliance
Kaddio is committed to building secure, transparent, and responsible software in compliance with EU regulations. This includes GDPR, EU AI Act, and MDR Class I standards.
- ✅ GDPR Compliant
Kaddio fully complies with the GDPR, ensuring data minimization, privacy-by-design, and secure processing. We support user rights such as access, correction, and deletion, and work only with subprocessors under signed Data Processing Agreements (DPAs).
- ✅ EU AI Act Compliant
Kaddio adheres to the EU AI Act by classifying AI systems by risk, ensuring transparency, and applying human oversight for AI-driven decisions. We maintain documentation and performance monitoring to promote trustworthy AI practices.
- ✅ MDR Class 1 Compliant
Kaddio meets EU MDR Class I requirements with a documented Quality Management System (QMS), post-market surveillance, and technical documentation. Our platform ensures safety and reliability for healthcare applications.
- 🇸🇪 National health system Provider
Kaddio is approved by Inera to provide health data to the Swedish National Health system 1177 and NPÖ.
- 📜 ISO 27001 Alignment
We work in accordance with the ISO 27001 standards. While Kaddio is not yet certified, we believe this helps us ensure robust information security management practices.
Security
Kaddio employs a multi-layered approach to security, combining battle tested technologies and best practices to protect your data.
- 🔐 Encryption at all times
Data is encrypted at rest with AES-256 (256-bit key length) and in transit with at least TLS 1.2. This ensures that your information remains secure against unauthorized access.
- 🔑 Secure Authentication
Kaddio supports Multi-Factor Authentication (MFA) and multiple European Electronic Ids (eIDS) to provide an additional layer of security, ensuring that only authorized users can access sensitive data and systems.
- 🧑🏽🔬 Responsible Disclosure Program
We highly value the contribution from white hat security researchers and encourages responsible disclosure of vulnerabilities. Please contact us if you identify a security issue, we will do our best to address it prompty and you may be eligible for a reward.
AI Compliance Levels
Kaddio offers flexible compliance levels specifically for AI functionality to meet different organizational requirements and regulatory needs. Choose the level that best fits your security and data residency requirements for AI processing.
- 🇸🇪 Sweden Sovereign - Highest Security
The highest level of data sovereignty and security with all AI services hosted and owned within Sweden. Data never leaves Swedish borders, ensuring complete control over data residency and compliance with the most stringent local requirements. Maximum data protection and sovereignty.
- 🇪🇺 GDPR Compliant - Highest Quality
Processing occurs within Sweden with EU data residency guaranteed. All data processing and storage remains within the European Union, fully compliant with GDPR requirements and EU data protection standards. Strong data protection within EU boundaries.
- 🌍 Global - Highest quality for non-EU
Worldwide processing options for organizations with flexible data residency requirements. While still maintaining GDPR compliance and EU AI Act compliance, this level offers access to global infrastructure for optimal performance. Secure global processing with compliance standards.
AI FAQ
- Where is data processed?
It's up to you. We acknowledge that privacy and security means different things to different people. We offer processing on infrastructure in EU or in the US. Your choice.
- What models and AI:s are supported
Mistral, OpenAI, Whisper, Llama, Medgemma, Claude etc. are supported. You choose region (eu/us) and we determine the most suitable models based on your language and type of task. For transcription and dictation, we use OpenAI's Whisper model which we offer on either OpenAI's infrastructure or on Sovereign infrastructure in EU.
- How about GDPR?
You can use Kaddio AI and be fully GDPR compliant by choosing to process all AI within EU on infrastructure and datacenters owned by EU businesses. Learn more
- How about EU AI Act?
Kaddio AI is compliant with the EU AI Act. We classify our AI systems by risk, ensure transparency, and apply human oversight for AI-driven decisions. We maintain documentation and performance monitoring to promote trustworthy AI practices. Learn more
- How about EU MDR?
Kaddio AI is compliant with the EU MDR Class I requirements. We have a documented Quality Management System (QMS), post-market surveillance, and technical documentation to ensure safety and reliability for healthcare applications. Learn more
- How about US Cloud Act?
Choose our EU infrastructure and don't worry about Cloud Act, we then do not process any AI data on US owned infrastructure.
- When you say infrastructure in EU, what do you mean?
We mean that the physical servers are owned by businesses whose headquarters are in the EU. This rules out all US owned cloud providers like Amazon, Microsoft, Google, IBM, Oracle and so on.
- I am concerned about AI
Kaddio AI is an opt-in module, if you don't have the module, you don't use any AI with Kaddio. The default Kaddio is AI-free.
- Are audio recordings from consultations stored?
No, audio is transcribed in real-time during the consultation and then permanently deleted.
- Is my data used to train AI models?
No, we never use your data to train AI models.
- Where is data stored and processed?
All transcripts and notes are stored in Europe. We never retain or store any audio recordings.
- Who is legally responsible for the clinical documentation?
You are responsible for your data and verifying the accuracy of your notes. Like all transcription methods - human or AI - errors sometimes occur. We encourage you to review your note drafts before finalizing them.