EvidAIEvidAI
Back to Home
7 min read

Data Residency & Privacy

GDPR, HIPAA, and regional data sovereignty compliance

Data Residency & Privacy

EvidAI provides flexible data residency options and comprehensive privacy controls to meet global regulatory requirements.

Data Residency Options

Available Regions

RegionLocationUse Case
US EastVirginia, USAUS-based organizations, FDA submissions
US WestOregon, USAUS backup, disaster recovery
EU WestIrelandGDPR compliance, EMA submissions
EU CentralFrankfurtGerman data sovereignty requirements
UKLondonUK MHRA, post-Brexit compliance
APACSydneyAustralian TGA, regional requirements

Data Isolation Guarantee

Your Data Stays Put: When you select a region, ALL your data—documents, decisions, audit trails, backups—remains in that region. No exceptions.

GDPR Compliance

Data Subject Rights

EvidAI fully supports GDPR data subject rights:

RightImplementation
AccessSelf-service data export
RectificationEdit personal data anytime
ErasureAccount deletion with data purge
PortabilityStandard format exports
RestrictionSuspend processing on request
ObjectionOpt-out of non-essential processing

Data Processing

CategoryLegal BasisRetention
Account DataContractAccount lifetime + 30 days
Review DataContractCustomer-defined
Audit LogsLegal obligation7 years minimum
AnalyticsLegitimate interest2 years

Data Processing Agreement

Enterprise customers receive a comprehensive DPA:

  • Sub-processor list
  • Technical and organizational measures
  • Breach notification procedures
  • Audit rights
  • Transfer mechanisms (SCCs)

HIPAA Compliance

Protected Health Information

For customers handling PHI in systematic reviews:

RequirementEvidAI Implementation
Access ControlsRole-based, MFA required
Audit ControlsComprehensive logging
Integrity ControlsChecksums, immutable logs
Transmission SecurityTLS 1.3 mandatory
EncryptionAES-256 at rest

Business Associate Agreement

BAA available for all Enterprise plans:

  • Covers all EvidAI services
  • Includes sub-processor coverage
  • Annual renewal and review
  • Breach notification within 24 hours

Data Classification

Sensitivity Levels

LevelDescriptionHandling
PublicPublished studies, public databasesStandard protection
InternalReview protocols, team discussionsEncrypted, access-controlled
ConfidentialUnpublished data, commercial studiesEnhanced encryption, audit
RestrictedPatient data, proprietary methodsMaximum protection, PHI controls

Automatic Classification

DOCUMENT CLASSIFICATION: Detected

File: "Phase3_Trial_Results_Confidential.pdf"

AI Classification: CONFIDENTIAL
├── Reason: Contains "confidential" marker
├── Additional signals: Unpublished trial data detected
└── Recommended handling: Enhanced audit logging

Manual Override: [Accept] [Downgrade] [Upgrade to Restricted]

International Transfers

Transfer Mechanisms

DestinationMechanismStatus
EU → USEU-US Data Privacy Framework✅ Certified
EU → UKUK Adequacy Decision✅ Covered
EU → OtherStandard Contractual Clauses✅ Available
Within RegionNo transfer✅ Default

Transfer Impact Assessment

For sensitive transfers, EvidAI provides TIA documentation:

  • Destination country assessment
  • Supplementary measures implemented
  • Risk analysis
  • Safeguard effectiveness

Backup & Recovery

Backup Architecture

Backup TypeFrequencyRetentionLocation
ContinuousReal-time7 daysSame region
DailyEvery 24h30 daysSame region
WeeklyEvery 7 days90 daysSame region
MonthlyEvery 30 days1 yearSame region
AnnualYearly7 yearsSame region (archive)

Disaster Recovery

MetricTargetActual
RPO (Recovery Point Objective)1 hour< 15 minutes
RTO (Recovery Time Objective)4 hours< 2 hours
Availability99.9%99.95%

Privacy by Design

Data Minimization

We collect only what's necessary:

Data TypeCollectedPurpose
EmailYesAuthentication, notifications
NameYesDisplay, audit trails
OrganizationYesBilling, access control
Usage AnalyticsAnonymizedProduct improvement
Review ContentYesCore service
LocationNoNot collected
Device IDSession onlySecurity

Anonymization Options

For research and analytics:

  • De-identified exports available
  • Aggregate statistics only
  • Individual data never shared
  • Opt-out of all analytics

Privacy First: EvidAI will never sell your data or use your review content for any purpose other than providing our service to you.

Did this article help?
Still stuck?