Skip to main content

Security

Built on trust.
Secure by design.

Journalia was designed from the ground up for healthcare. Every architectural decision prioritises patient data protection, regulatory compliance and clinical trust.

CE Mark

CE Marked

Class I Medical Device

Certified under EU MDR 2017/745 as Class I medical software. Quality management, risk assessment and clinical evaluation.

GDPR Compliance

GDPR

Full compliance

Technical and organisational measures. All data processed within the EU/EEA.

HOW WE PROTECT YOUR DATA

Security is not a feature.
It's the foundation.

No audio retention

  • Audio is not stored — it is transcribed in real time, then immediately discarded
  • Transcription data is automatically deleted after processing
  • Patient data is not used to train AI models
  • Configurable retention policies for your organisation

End-to-end encryption

  • AES-256 encryption at rest, TLS 1.3 in transit
  • User-level encryption — only you can access your patients' data
  • All processing within EU/EEA infrastructure
  • Data is processed and stored within the EU/EEA

SAML & SSO

  • SSO for organisations via SAML 2.0 and OpenID Connect
  • Multi-factor authentication enforced for all accounts
  • Role-based access control and audit logging

CE MARKING

What does the CE marking mean?

Journalia is CE-marked as Class I medical software under the EU MDR (Medical Device Regulation 2017/745). This means the product meets EU requirements for safety, performance and quality for medical devices.

As a CE Class I device, Journalia is a pure documentation tool without clinical decision support. The system automates note-writing, but the treating clinician retains full responsibility for the clinical content.

CE Mark

Documents

View current eIFU in the help centreRequest declaration of conformity

PRIVACY

How does Journalia protect privacy?

Journalia is built with a strong focus on European privacy law. We comply with the GDPR and applicable health-sector information-security standards.

Transcription happens in real time, and no audio recordings are stored. Only the treating healthcare professional can access the generated note, which is automatically deleted after 48 hours.

We limit usage to transcription and documentation without clinical decision support.

GDPR

Key safeguards

  • Real-time transcription without storing audio
  • Access limited to the treating healthcare professional
  • Automatic deletion of all data after 48 hours
  • Use scoped to documentation, not clinical decision support

RESPONSIBLE USE

How do you put responsible use into practice?

Under EU data-protection guidance, patients must be informed when artificial intelligence is used during the consultation. Journalia recommends informing patients verbally and through an information poster in the waiting room.

Suggested wording

I'm going to use a transcription tool that writes a summary of our session afterwards. The result is that I can update your medical record faster and in more detail. Everything is handled in accordance with the GDPR, and access is limited to me as your clinician. Audio is not stored, and the written summary is permanently deleted within 48 hours.

COMPLIANCE DOCUMENTS

Transparency by default.

We believe in full transparency around our security practices. All compliance documentation is available for review, no NDA required.

Electronic Instructions for Use (eIFU)Request declaration of conformityPrivacy policy

FAQ

Frequently asked questions

No. Journalia does not store audio recordings. Audio is streamed and transcribed in real time during the consultation; the audio stream is immediately discarded and never saved on any server or device. Only the text transcript and generated note are temporarily stored, and these are permanently deleted within 48 hours.

No. Patient data is not used to train or improve AI models. This is a firm commitment. All clinical data is permanently deleted within 48 hours and is not accessed, analysed or used for any purpose beyond generating your clinical note. Our AI models are trained using separate, anonymised datasets.

We have a documented incident response plan. For notifiable incidents we inform affected customers without undue delay and within 72 hours, as required by the GDPR. We have a named DPO as a single point of contact for both customers and supervisory authorities.

No. All processing takes place at sub-processors within the EU/EEA. We maintain an openly available list of all sub-processors — you can request it without an NDA.

CE marking under the EU Medical Device Regulation (MDR) means Journalia has been evaluated and meets European standards for safety, quality and clinical performance as medical software. Unlike general AI tools, CE-marked medical devices are subject to rigorous requirements including clinical evaluation, risk management, quality management systems and ongoing post-market surveillance. This gives you confidence that the tool has been validated for clinical use.

Journalia holds CE marking as a Class I medical device under the EU MDR and maintains full compliance with the GDPR. We conduct regular third-party security audits and penetration tests.

Yes. We provide ready-made data-protection impact assessment (DPIA) templates tailored to using Journalia and review them together with your data protection officer. This is included in institutional and municipal packages.

Questions about security?

Our team is happy to walk you through our security architecture, compliance certifications and data-protection measures.

Contact us about security