Trust and security.
Plain English. No marketing copy.
Where data lives.
All data uploaded to Notora Med is stored in the AWS London region (eu-west-2), operated by Amazon Web Services EMEA SARL. Storage and document processing (OCR and text extraction) take place in the UK. The AI inference step runs through Amazon Bedrock's EU inference profile, which may process the request transiently in another European Economic Area region before the result returns to London. No data is stored or processed outside the UK or the EEA at any point. UK-to-EEA processing is lawful under UK adequacy regulations and the EU's adequacy decision for the UK, and Bedrock is configured for zero data retention.
Encryption.
Data is encrypted in transit using TLS 1.3 with modern cipher suites. Data at rest is encrypted using AES-256. Encryption keys are managed via AWS Key Management Service (KMS) with audit logging through AWS CloudTrail. Customer-managed keys are available on request for enterprise customers.
Compliance and certifications.
UK GDPR and Data Protection Act 2018
compliant. Lawful basis for processing relies on the instructing party's Article 6(1)(f) legitimate interests (the conduct of litigation), with Article 9(2)(f) (establishment, exercise or defence of legal claims) and the corresponding condition in DPA 2018 Schedule 1 Part 2 paragraph 33 for special category data.
Information Commissioner's Office
registration in progress. Number published when issued.
AWS Data Processing Addendum (DPA)
executed.
SOC 2 Type 1
audit in progress. Target completion Q3 2026.
Cyber Essentials Plus
certification targeted Q4 2026.
Professional indemnity insurance
in place ahead of pilot launch.
Data Protection Impact Assessment (DPIA)
completed prior to pilot launch.
What happens to your records.
Bundles you upload to Notora Med are processed under your account. The structured output is returned to you. We retain bundles only as long as your active case requires, with a default retention window agreed in your Data Processing Agreement. We delete on request. We do not train AI models on your data. We do not share your data with third parties for any commercial purpose. Subprocessor changes are notified in advance with the right to object.
Information collected via this website.
The Notora Med website (notoramed.co.uk) does not capture personal data through forms. There is no contact form. The application itself stores nothing about visitors beyond standard server access logs.
Booking is handled by Cal.eu. The /contact page links out to the booking page on Cal.eu; the booking process takes place entirely on Cal.eu's domain in a new tab. When you book a conversation, your name, email address, and chosen time are processed by Cal.eu under their UK GDPR-compliant terms. Notora Med servers do not store, route, or log that booking data.
Email enquiries sent via the mailto: link on the /contact page open in your own email client and are delivered to the founder's mailbox over standard SMTP. Those messages do not traverse Notora Med servers; they travel from your mail provider to ours, in line with how any direct email exchange works.
Anonymous, aggregate website analytics (Plausible) load only after explicit opt-in via the cookie banner. No cookies are set without consent except the first-party cookie that records your consent choice itself. We do not use Google Analytics or any cross-site tracking pixels.
Subprocessors.
| Subprocessor | Purpose | Region |
|---|---|---|
| SubprocessorAmazon Web Services EMEA SARL | PurposeProduct infrastructure and OCR (medical record processing). | Regioneu-west-2 (London) |
| SubprocessorSpecialist foundation model provider | PurposeProduct AI inference, configured for zero data retention, routed via UK / EU endpoint. | RegionUK / EU |
| SubprocessorCal.com (cal.eu, EU-hosted instance) | PurposeBooking link on the /contact page. When a visitor clicks through to book a conversation, their name, email, and chosen time are processed by Cal.eu under their UK GDPR-compliant terms. Notora Med servers do not store, route, or log that booking data; the link sends the visitor directly to Cal.eu. | RegionEU (data residency confirmed under cal.eu terms). |
| SubprocessorPlausible Analytics | PurposeAnonymous, aggregate website analytics. Loaded only after explicit opt-in via the cookie banner. No personal identifiers, no cross-site tracking. | RegionEU |
Subprocessors fall into two groups. Product subprocessors (such as AWS and our language model provider) process the medical records you upload, to support text extraction, document structuring, and drafting. The clinical reasoning and report sign-off remain with the instructed expert. Website subprocessors (such as our booking provider) handle only routine visitor data and never receive medical records.
Data Processing Agreement and Data Sharing Agreement.
Notora Med provides a standard Data Processing Agreement (DPA) compliant with UK GDPR Article 28. We are willing to sign your firm's standard DPA on review. A Data Sharing Agreement (DSA) template is available on request for medicolegal agency deployments. Both documents available at trust@notoramed.co.uk.
Incident response.
In the event of any security incident affecting customer data, we notify affected customers without undue delay and within 72 hours of becoming aware, in line with UK GDPR Article 33. The Information Commissioner's Office is notified within the same window where required. Our incident response process is documented and available for customer audit on request.
Court admissibility.
Notora Med outputs are designed to support, not replace, the medical expert's report. All AI-generated structured content cites the source page in the underlying records. The expert remains responsible for verifying every claim before incorporating it into a report compliant with Civil Procedure Rules Part 35. Audit logs of all AI-generated content and expert-edited outputs are retained for the case duration to support disclosure obligations.
Trust contact.
For security, compliance, or audit enquiries: trust@notoramed.co.uk. We respond within one working day.