Compliance

Compliance, subprocessors & retention

Who processes data on our behalf, how long data lives, and how to exercise your rights. This page describes the hosted instance run by the Docuity operator; self-hosted deployments have their own operator and subprocessor choices.

Last updated: 17 July 2026

Subprocessors (hosted instance)

We keep this list short on purpose. The hosted instance uses exactly these third parties:

SubprocessorPurposeData involvedRegion
Amazon Web Services — SESTransactional email (verification codes, magic links, invitations)Recipient email address, message content and delivery metadataus-east-1 (United States)
Anthropic APIAI-assisted note drafting in Galen only — runs only when a user explicitly requests a draftThe note text and images the user submits for drafting; not used to train models; drafts remain drafts until human reviewUnited States
Hetzner OnlineInfrastructure hosting for the hosted Docuity instanceAll application data (encrypted at rest where specified in the security posture)European Union (Germany / Finland)

We will update this page before adding or replacing a subprocessor. Self-hosted deployments send no data to these providers unless the operator configures them.

Retention

DataRetention
Docuity ID sessionsExpire after at most 30 days; revocable immediately from the account page.
Account deletionSoft-deleted immediately, purged permanently after 30 days.
Messages (Docuity Messages)Per-workspace retention, default 365 days; a nightly job purges expired messages. Workspace admins can change the period.
Clinical records (EHR, Rx, Galen)Retained while the owning clinic/practice/chart account is active; deleted with the tenant subject to any legal retention duties of the operator.
Audit logsRetained for the life of the deployment (append-only by design).
Email sending recordsDelivery metadata retained by AWS SES per its policy; we keep only send status.
Public interaction checkerQueries are processed in memory and not stored; only anonymous in-memory rate-limit counters exist, and they reset on deploy.
BackupsDaily database backups; the most recent 7 are kept, then rotated out.

Your rights (GDPR-aligned)

Docuity is built to honor the data-subject rights in the GDPR and similar laws, regardless of where you live:

  • Access & portability — export your account data as JSON from the Docuity ID account page at any time.
  • Rectification — edit your profile in Docuity ID; clinical records follow the medical-record correction rules of the clinic that owns them (addenda and “entered in error” flags rather than silent edits).
  • Erasure — delete your account from the Docuity ID account page; data is purged after the 30-day soft-delete window described above.
  • Consent history — the consents you have granted or revoked are listed, with timestamps, in your account.
  • Objection / restriction / complaint — contact the operator (below); you may also complain to your local supervisory authority.

How to exercise them: use the built-in export and deletion tools first — they are self-service and immediate. For anything else, contact the Docuity operator identified on the About page; we answer within 30 days.

Roles: for clinical data (EHR patients, prescriptions, care records) the clinic, practice, or chart owner is the data controller and the Docuity operator processes on their instructions. For your Docuity ID account, the operator is the controller.

Data processing agreements

Organizations using the hosted instance can request a data processing agreement (DPA) from the Docuity operator; it covers the subprocessor list above, breach notification, and deletion on termination. If you self-host, you are the controller and operator — no DPA with us is needed, and this page's subprocessor list does not apply to your deployment.