Trust, Security & Governance

For DrPal

DrPal is committed to building a health-focused AI platform with privacy, security, and responsible governance at its core. This page provides a summary of our operational approach to data protection, security, and AI oversight.

Effective Date: 17-04-2026

Who We Are

DRPAL GMBH
Dammstrasse 16
6300 Zug
Switzerland
Website: drpal.ai
Privacy contact: privacy@drpal.ai
Appointed DPO: Meisa Hayali

Our Governance Approach

DrPal is designed around privacy-by-design, security-by-design, and responsible AI governance principles. Because our platform may process health-related and other sensitive information, we aim to apply risk-based controls appropriate to the nature of the data and services involved.

Our governance model focuses on:

• clearly defined internal privacy and security accountability;
• documented rules for data retention and deletion;
• role-based access controls and restricted data access;
• vendor and sub-processor governance;
• review of higher-risk data and AI workflows;
• transparency around how data is used and protected.

Privacy and Data Protection

DrPal’s privacy program is designed to support compliance with applicable data protection obligations, including GDPR-aligned transparency, rights handling, retention governance, and cross-border transfer controls.

Our privacy program includes, where applicable:

• records of processing activities;
• retention and deletion governance;
• procedures for handling data subject rights requests;
• sub-processor review and contractual controls;
• access management controls;
• privacy review of new or modified processing activities;
• risk assessment and impact assessment practices for higher-risk processing.

Security Controls

DrPal applies technical and organizational safeguards intended to protect the confidentiality, integrity, and availability of personal data.

These safeguards may include:

• encryption in transit;
• encryption at rest;
• least-privilege and role-based access controls;
• authentication and account security controls;
• security logging and monitoring;
• backup and recovery measures;
• incident response procedures;
• vendor security review and contractual controls;
• configuration review and change management practices.

HIPAA Positioning

DrPal aims to maintain safeguards aligned with recognized healthcare privacy and security expectations. However, HIPAA applies in specific legal contexts, including covered entities and business associates. Not every health application is automatically subject to HIPAA in all settings.

For enterprise or healthcare-partner arrangements, DrPal can assess whether a Business Associate Agreement or equivalent contractual safeguards are appropriate for the specific deployment.

AI Governance

DrPal applies governance measures to AI-enabled workflows to support accountability, reliability, and controlled handling of sensitive information.

Our AI governance principles include:

• defined purposes for AI use cases;
• review of data flows involving sensitive information;
• restrictions on access to health-related content;
• vendor oversight and contractual confidentiality;
• documentation of risk, safeguards, and internal oversight;
• review of higher-risk AI use cases;
• user-facing disclosure regarding the role and limitations of AI outputs.

Where applicable, DrPal seeks to minimize identifiable health data usage for internal evaluation and to apply de-identification, minimization, and contractual restrictions when working with service providers.

Chronological Health Record Continuity

A core aspect of DrPal’s architecture is continuity of information over time. Questions asked, reports uploaded, documents shared, and interactions recorded in the platform may be time-stamped and organized chronologically so the system can better support structured history review, continuity, and longitudinal health insights.

This design supports a more coherent user record and may improve the platform’s ability to identify patterns, trends, and preventive signals over time.

Vendor and Sub-Processor Governance

DrPal manages third-party providers through a governance process that may include:

• security and privacy due diligence;
• contractual data protection obligations;
• confidentiality requirements;
• scoped access permissions;
• periodic necessity and risk review.

Retention and Deletion Governance

DrPal maintains retention and deletion practices designed to align storage periods with service needs, continuity features, legal obligations, and user rights. This includes governance for user content, logs, support records, and financial or transactional records.

Compliance and Assurance Roadmap

DrPal is actively developing and formalizing its assurance and governance posture, including readiness and certification efforts related to security, privacy, and responsible AI frameworks.

Current initiatives may include:

• SOC 2 readiness / attestation process
• ISO/IEC 27001 readiness / certification process
• ISO/IEC 42001 readiness / governance alignment process

References to these initiatives describe current program status and should not be interpreted as completed certification unless expressly stated.

Contact

For privacy, security, or governance-related questions, contact:

privacy@drpal.ai