Security that earns trust, not just compliance
When clinics trust you with patient data, you need more than a checklist. Motics protects patient consultation data across the entire lifecycle — from the moment a consultation is captured to long-term storage and eventual deletion — with encryption, access controls, and continuous monitoring.
Protected at every stage
From the moment a patient speaks to the moment data is deleted, every step is encrypted, logged, and access-controlled. Here is exactly how your data moves through Motics.
Transit
All data in motion is encrypted using TLS 1.3 — the same protection used for online banking. No data moves between systems in plaintext, whether it is consultation audio, clinical notes, or internal service communication.
Processing
AI models process your data in isolated, temporary environments that hold nothing after the job is done. Patient data is not used to train, fine-tune, or improve any model. Once processing completes, input data is discarded.
Storage
Structured outputs are encrypted at rest with AES-256 and stored in the region you choose — UK, EU, or US. Encryption keys are managed by a dedicated key management service, rotated automatically, and not accessible to application code.
Deletion
When you or a patient requests erasure, encryption keys are destroyed — rendering the data permanently unrecoverable, not just flagged for deletion. We process erasure requests in accordance with GDPR Article 17 and provide written confirmation.
Your patient data is not used to train AI
This is the question every clinic asks first, and the answer is unambiguous. Patient data processed by Motics is used solely to deliver the service your clinic requested — nothing else. Contractual agreements with all sub-processors prohibit any other use.
- No model training. Patient data does not enter any training pipeline, fine-tuning process, or feedback loop for any AI model — ours or any sub-processor's.
- Processed and forgotten. AI models run in isolated, temporary environments. Input data is discarded after each request — it is not retained, cached, or logged by model providers under our contractual terms.
- Controlled data processing. Your data is sent to model providers solely for processing the specific request. Contractual agreements with all providers restrict use to service delivery only. A current list of sub-processors is available on our Trust Centre.
- Clinician-in-the-loop. All AI-generated outputs — clinical notes, SNOMED codes, letter drafts — require clinician review and approval before use. The AI creates a draft, and your clinician checks and approves it. Motics assists. It does not decide.
Built for the regulations you face
Compliance is not a feature we bolt on — it shapes how we architect, deploy, and operate the platform. Every control is documented, tested, and auditable.
GDPR
Compliant with UK and EU GDPR. We act as your data processor (your clinic remains the data controller) with a signed Data Processing Agreement that meets Article 28 requirements. Processing is carried out under established lawful bases, and our Trust Centre publishes the current status of all 64+ GDPR controls, sub-processor list, and downloadable policies.
ISO 27001
Our Information Security Management System is aligned to ISO 27001:2022. We maintain over 100 security controls across asset management, access control, cryptography, operations security, and supplier relationships — all continuously monitored and auditable through our Trust Centre.
HIPAA
We implement the administrative, physical, and technical safeguards required by HIPAA and are prepared to enter into Business Associate Agreements. Data is stored in US-based infrastructure with access controls, audit logging, and encryption at every layer. Our HIPAA controls are documented and available for review.
NHS DTAC
Assessed against the NHS Digital Technology Assessment Criteria covering clinical safety (DCB 0129), data protection, technical security, and interoperability. Our Scribe Agent is a Class I medical device under UK MDR. Assessment evidence and clinical safety documentation are available on our Trust Centre.
Encryption
AES-256 at rest, TLS 1.3 in transit — widely adopted cryptographic standards used across financial services, government, and critical infrastructure. Encryption keys are managed by a dedicated key management service with automatic rotation, and are not accessible to application code.
Data Residency
Your data is stored and processed in the region you choose — UK, US, or EU — from day one. Cross-border transfers do not occur without appropriate safeguards and your authorisation, as detailed in our Data Processing Agreement. All backups remain within the same jurisdiction.
Defence in depth, not a single wall
Security is layered. If any single control fails, others contain the impact. Here is how the layers work together.
Enterprise-grade cloud infrastructure
Hosted on Google Cloud Platform, which maintains SOC 2 Type II certification. Infrastructure is deployed across isolated availability zones with automated failover. GCP's security controls are independently audited and verified annually.
Network segmentation and least-privilege access
Production, staging, and development environments are fully isolated using separate, walled-off network areas and firewall rules. Internal services must authenticate before communicating with one another — there is no implicit trust between components.
Access control and audit logging
Role-based access with mandatory two-factor authentication. Every data access event — read, write, export — is logged with who, what, when, and from where. Audit logs are tamper-resistant and available for your compliance team to review at any time.
Vulnerability management
Independent penetration testing conducted annually. Continuous dependency scanning via GitHub Dependabot catches known vulnerabilities in third-party libraries. Code changes go through mandatory review with automated security checks before reaching production.
Incident response
Real-time application monitoring and alerting across all production services. If a security incident occurs, our documented response plan activates immediately — including notification to affected customers without undue delay in accordance with applicable data protection law, and a full post-incident report detailing root cause, impact, and remediation.
Business continuity and disaster recovery
Automated backups across isolated availability zones with tested disaster recovery procedures. Infrastructure is designed to eliminate single points of failure through multi-zone redundancy and autoscaling.
Security verified every day, not once a year
Annual audits are the minimum. We verify our security posture continuously through automated monitoring across every layer of the platform — from source code to production infrastructure.
Infrastructure monitoring
Google Cloud Platform is continuously monitored for misconfiguration, unauthorised access, and changes that move settings away from our security standards. Firewall rules, access permission policies, storage permissions, and encryption settings are all verified automatically.
Code and dependency security
Every code change is reviewed before merge. GitHub Dependabot scans all dependencies for known vulnerabilities and opens automated pull requests for patching. Branch protection rules enforce mandatory review and passing security checks.
Application monitoring and alerting
Sentry monitors all production services for errors and anomalies in real time, with automated alerting. Cloud Logging provides time-synchronised audit trails across all services for investigation and forensic analysis when needed.
Compliance posture tracking
Our compliance posture across GDPR, ISO 27001, and internal policies is tracked continuously through automated tests. When a control drifts, we are alerted before it becomes a gap. The current status of every control is published on our Trust Centre — a publicly accessible dashboard with real-time control status, downloadable policies, and compliance documentation.
FAQ
Security & Compliance FAQ
Common questions from compliance teams and clinics
In the region you choose during onboarding — UK, US, or EU. All locations use Google Cloud Platform data centres, which are independently SOC 2 Type II certified, with AES-256 encryption at rest and TLS 1.3 in transit. Backups remain within the same jurisdiction and cross-border transfers do not occur without appropriate safeguards and your authorisation.
Yes. Motics is designed and operated to meet the requirements of UK GDPR and EU GDPR. We act as your data processor (you remain the data controller) and provide a signed Data Processing Agreement that meets Article 28 requirements. We maintain over 60 GDPR-specific controls, continuously monitored and auditable. A current list of sub-processors is available on our Trust Centre.
No. Patient data is not used to train, fine-tune, or improve AI models — ours or any sub-processor's. Data is processed in isolated, temporary environments solely to deliver the service you requested. Once processing completes, input data is discarded. This is enforced through contractual agreements with all model providers, and you can review our data handling practices on our Trust Centre.
We don't rely on annual audits alone. Over 200 security controls across GDPR, ISO 27001, and internal policies are verified continuously through automated testing. Infrastructure is monitored for misconfiguration and drift, dependencies are scanned for known vulnerabilities, and production services are monitored for errors and anomalies with real-time alerting. The current status of every control is published on our Trust Centre.
You can revoke a user's access immediately through the admin panel. Once revoked, the user can no longer access any patient data. A complete audit trail of everything they accessed while active is available for your records. We recommend reviewing user access regularly as part of your compliance process.
Yes. You can export your data at any time. On contract termination, we provide a reasonable period for data retrieval before deletion. Details of the data return and deletion process are covered in our Data Processing Agreement. Contact our team to discuss specific export requirements.
Retention periods are configurable per clinic and can be aligned with your clinical record-keeping requirements. Motics does not impose a minimum retention period and supports deletion on request at any time. When data is deleted, encryption keys are destroyed, rendering the data permanently unrecoverable.
Yes. We offer US-based data residency, are prepared to enter into Business Associate Agreements (BAAs), and implement the administrative and technical safeguards required under HIPAA — including encryption, access controls, and audit logging at every layer. Contact our team to discuss your specific compliance requirements.
We have a documented incident response plan with real-time application monitoring and alerting. As your data processor, we notify you without undue delay of becoming aware of a personal data breach, providing sufficient detail for you to meet your notification obligations under applicable data protection law. After resolution, we provide a full written account of what occurred, the root cause, what data was affected, and the remediation steps taken.
Motics Scribe Agent is a Class I medical device under UK MDR. As a clinical decision support tool that generates draft outputs for clinician review, it does not autonomously diagnose, recommend treatment, or make clinical decisions. All AI-generated outputs require clinician review and approval before use. Clinical safety documentation, including our DCB 0129 clinical safety case, is available on request.
Patient data is encrypted at rest using AES-256 and in transit using TLS 1.3 — widely adopted cryptographic standards used across financial services, government, and critical infrastructure. Encryption keys are managed by a dedicated key management service (Google Cloud KMS) with automatic rotation, and are not accessible to application code.
* The security measures described on this page reflect our current practices and are subject to our Terms of Service and Data Processing Agreement, which govern in the event of any inconsistency. Security practices are reviewed and updated regularly — for the latest status, visit our Trust Centre.