Security & Data Protection

Built for special-category health data from day one.

Consent first

Explicit patient consent is required before any consultation is analysed. Consent is captured before the patient arrives via a secure link, and recorded in an immutable audit log.

Encryption

All data is encrypted in transit and at rest. Consultation audio is stored in encrypted, clinic-isolated storage.

Tenant isolation

Every clinic's data is strictly segregated with row-level security, enforced server-side and covered by automated regression tests.

No human at Altora reads your consultations

Our systems — including our own internal admin tools — are structurally prevented from accessing patient identity, transcripts, or clinical content. Admin access is limited to business metadata only, and every access is logged.

Role-based access

Practitioners, reception and managers each see only role-appropriate data, enforced at the database layer.

Retention & deletion

Configurable retention policies per clinic, complete deletion including audio, and deletion events are logged.

Audit logging

Append-only logs of system and administrative actions.

Subprocessors

We use AssemblyAI (transcription), Anthropic (analysis), Supabase (database and storage) and Vercel (hosting). Data processing agreements and international transfer safeguards are managed with each.

Altora is built to UK GDPR standards. We support clinics in meeting their obligations to patients under UK data protection law.
Questions about security or data protection? privacy@altora-ai.co.uk