What role does datascalehr play under GDPR?

datascalehr acts as a data processor. Customers are the data controllers responsible for determining purposes and means of processing personal data. datascalehr provides technical and organizational measures to ensure GDPR compliance.

What personal data does datascalehr process?

datascalehr processes whatever personal data customers choose to upload to the platform. As the data processor, datascalehr does not determine what personal data gets processed - this is decided by customers as the data controllers.

How are data subject rights handled?

datascalehr respects all data subject rights under GDPR including the right to access, rectify, erase, restrict, object to, or port personal data. When datascalehr receives a direct request from a data subject, it forwards the request to the customer (data controller).

Are customer responsibilities clearly defined?

datascalehr respects all data subject rights under GDPR including the right to access, rectify, erase, restrict, object to, or port personal data. When datascalehr receives a direct request from a data subject, it forwards the request to the customer (data controller).

What encryption standards does datascalehr use?

datascalehr uses AES-256 for data at rest and database-level encryption, and TLS 1.2 for data in transit. Field-level encryption (column-level) is available for all fields and tables for additional PII protection using AES-256-GCM algorithm.

How is encryption key management handled?

Encryption key management is provided using AWS Secrets Manager, with keys kept separate from database dumps.

Is data shared between customers?

No. Each datascalehr customer receives their own database instance on AWS. There is no sharing of data between clients.

Who can access customer data?

Only authorized client users listed in the application's user management screens can access the system. Technical access by datascalehr requires explicit written request from the data owner and is under strict administrative controls.

Who owns the data uploaded to datascalehr?

Customers are the data owners and data controllers. datascalehr acts only as a data processor on behalf of customers.

How long is customer data retained?

datascalehr deletes all client data from online systems 30 days post contract termination. Completed reports are maintained based on jurisdictional audit requirements. Customers control field-level data retention policies.

How is data destruction handled?

datascalehr relies on AWS to securely delete data from physical media when devices are replaced or recycled, following AWS compliance protocols for secure data deletion.

What is KMod™ and does it contain confidential data?

KMod™ is datascalehr's proprietary knowledge model that provides intelligent suggestions for data processing tasks. It contains only contextual, categorization, and behavioral information - no confidential data.

What data categories are processed by AI systems?

Four categories: Confidential (internal only), Header (internal + external LLM), Contextual (internal + external LLM), and Behavioral (internal only + external LLM). Confidential data never leaves the datascalehr environment.

Does datascalehr send confidential data to external AI providers?

No. datascalehr uses multiple LLMs including those from Anthropic, OpenAI, Mistral and Meta for certain analyses, but only sends header and contextual data. No confidential client data is ever sent to external systems.

How does KMod™ maintain privacy across customers?

When KMod™ knowledge is shared across datascalehr systems for industry insights, all information that could identify the source is stripped away.

How are data breaches handled?

datascalehr follows a formal breach notification protocol, promptly investigating incidents, taking mitigation steps, and notifying affected individuals and authorities as required by applicable laws.

Who should be contacted about potential data breaches?

Any potential data breach must be immediately reported to Luke Zawadzki, VP Engineering, at luke.zawadzki@datascalehr.com.

Does datascalehr use third-party processors for client data processing?

Yes. Siemens AG and Amazon Web Services (AWS) .

What compliance frameworks does datascalehr follow?

datascalehr complies with GDPR (EU, UK, Swiss), and applicable US data protection laws including HIPAA, COPPA, GLBA, FCRA, FERPA, and CCPA.

What platform does datascalehr use for security?

datascalehr is built on the Mendix platform (Siemens subsidiary), which provides enterprise-grade security with ongoing compliance audits and certifications including ISO 27001 and SOC2 compliance.

How can customers verify datascalehr's compliance?

Upon request, datascalehr provides third-party certifications, audit reports, and compliance summaries. Additional information is available to supervisory authorities when required.

Data Privacy & Security Q&A

Data Privacy & GDPR

What role does datascalehr play under GDPR?

datascalehr acts as a data processor. Customers are the data controllers responsible for determining purposes and means of processing personal data. datascalehr provides technical and organizational measures to ensure GDPR compliance.
What personal data does datascalehr process?

datascalehr processes whatever personal data customers choose to upload to the platform. As the data processor, datascalehr does not determine what personal data gets processed – this is decided by customers as the data controllers.
How are data subject rights handled?

datascalehr respects all data subject rights under GDPR including the right to access, rectify, erase, restrict, object to, or port personal data. When datascalehr receives a direct request from a data subject, it forwards the request to the customer (data controller).
Are customer responsibilities clearly defined?

datascalehr respects all data subject rights under GDPR including the right to access, rectify, erase, restrict, object to, or port personal data. When datascalehr receives a direct request from a data subject, it forwards the request to the customer (data controller).

Data Security & Encryption

What encryption standards does datascalehr use?

datascalehr uses AES-256 for data at rest and database-level encryption, and TLS 1.2 for data in transit. Field-level encryption (column-level) is available for all fields and tables for additional PII protection using AES-256-GCM algorithm.
How is encryption key management handled?

Encryption key management is provided using AWS Secrets Manager, with keys kept separate from database dumps.
Is data shared between customers?

No. Each datascalehr customer receives their own database instance on AWS. There is no sharing of data between clients.
Who can access customer data?

Only authorized client users listed in the application’s user management screens can access the system. Technical access by datascalehr requires explicit written request from the data owner and is under strict administrative controls.

Data Ownership & Retention

Who owns the data uploaded to datascalehr?

Customers are the data owners and data controllers. datascalehr acts only as a data processor on behalf of customers.
How long is customer data retained?

datascalehr deletes all client data from online systems 30 days post contract termination. Completed reports are maintained based on jurisdictional audit requirements. Customers control field-level data retention policies.
How is data destruction handled?

datascalehr relies on AWS to securely delete data from physical media when devices are replaced or recycled, following AWS compliance protocols for secure data deletion.

KMod™/AI & Data Privacy

What is KMod™ and does it contain confidential data?

KMod™ is datascalehr’s proprietary knowledge model that provides intelligent suggestions for data processing tasks. It contains only contextual, categorization, and behavioral information – no confidential data.
What data categories are processed by AI systems?

Four categories: Confidential (internal only), Header (internal + external LLM), Contextual (internal + external LLM), and Behavioral (internal only + external LLM). Confidential data never leaves the datascalehr environment.
Does datascalehr send confidential data to external AI providers?

No. datascalehr uses multiple LLMs including those from Anthropic, OpenAI, Mistral and Meta for certain analyses, but only sends header and contextual data. No confidential client data is ever sent to external systems.
How does KMod™ maintain privacy across customers?

When KMod™ knowledge is shared across datascalehr systems for industry insights, all information that could identify the source is stripped away.

Data Breach Response

How are data breaches handled?

datascalehr follows a formal breach notification protocol, promptly investigating incidents, taking mitigation steps, and notifying affected individuals and authorities as required by applicable laws.
Who should be contacted about potential data breaches?

Any potential data breach must be immediately reported to Luke Zawadzki, VP Engineering, at luke.zawadzki@datascalehr.com.

Compliance & Third Parties

Does datascalehr use third-party processors for client data processing?

Yes. Siemens AG and Amazon Web Services (AWS) .
What compliance frameworks does datascalehr follow?

datascalehr complies with GDPR (EU, UK, Swiss), and applicable US data protection laws including HIPAA, COPPA, GLBA, FCRA, FERPA, and CCPA.
What platform does datascalehr use for security?

datascalehr is built on the Mendix platform (Siemens subsidiary), which provides enterprise-grade security with ongoing compliance audits and certifications including ISO 27001 and SOC2 compliance.
How can customers verify datascalehr's compliance?

Upon request, datascalehr provides third-party certifications, audit reports, and compliance summaries. Additional information is available to supervisory authorities when required.