Trust Center

Your clinic handles sensitive data.
So do we.

When a candidate messages your clinic about a hair transplant, they share personal information. Their name, their phone number, their health concerns. That data is your responsibility. And by extension, it becomes ours.

Anonymization by design

Every conversation processed by EVED is handled through an anonymization-by-design architecture. By the time any data reaches storage, all attributes that could directly or indirectly identify a natural person have been irreversibly dissociated from the conversation content.

This means EVED does not store identifiable patient records. No name, no phone number, no conversation can be traced back to a specific individual within our systems.

Under GDPR Recital 26, information that cannot be attributed to an identified or identifiable natural person falls outside the scope of personal data. EVED's conversation processing is designed to meet this standard.

Your patients' conversations are processed to serve them, not stored to profile them.

Infrastructure and data sovereignty

Private infrastructure

Self-hosted servers. No third-party cloud providers, analytics platforms, or external data processors.

EU data residency

All data stored within the European Union. No personal data transferred outside the EEA.

Zero sub-processors

No third party has access to your clinic's data. Ever.

What this means for your clinic

As a clinic operator, you are the data controller for your patients. EVED acts as your data processor. This relationship is governed by a Data Processing Agreement (DPA) concluded at the time of subscription.

Deploying EVED does not create new compliance exposure for your clinic. The platform is designed so that the data processing it performs on your behalf meets the requirements of the regulations applicable to your market.

Applicable regulations by market

πŸ‡ͺπŸ‡Ί
European Union & UKGDPR / UK GDPR

Data minimization, purpose limitation, storage limitation, and anonymization by design are built into the platform at the infrastructure level.

πŸ‡ΉπŸ‡·
TurkeyKVKK

EVED's anonymization-by-design approach and EU-based infrastructure are consistent with KVKK requirements for cross-border data transfers and processor obligations.

πŸ‡ΈπŸ‡¦
Gulf (Saudi Arabia, UAE)PDPL / DIFC / ADGM

EU-based infrastructure and anonymization architecture satisfy GCC requirements. Clinics retain full control as data controllers.

πŸ‡«πŸ‡·
FranceCNIL-regulated GDPR

As a French entity regulated by the CNIL, EVED's compliance posture is aligned with the strictest interpretation of GDPR in force in France.

πŸ‡±πŸ‡§
Lebanon & MENALaw 81 / Emerging frameworks

EVED's private infrastructure and anonymization-by-design approach are consistent with emerging data protection obligations across MENA.

What EVED does not do

Sell, share, or monetize patient data in any form
Use patient conversations to train AI models for third parties
Transfer data to external analytics platforms
Retain identifiable patient records beyond processing

Your rights as a clinic operator

Request information about the data EVED processes on your behalf
Request correction or deletion of any identifiable data about your clinic or staff
Terminate the DPA and subscription at any time
Receive confirmation that your data has been deleted following termination

Security architecture

End-to-end encryption for all communications
Encryption at rest for all stored data (AES-256)
Private server infrastructure, no external access
Strict internal access controls, authorized personnel only
Regular security audits and vulnerability assessments

No transmission method is completely immune to risk. In the event of a security incident affecting your data, EVED will notify you and the relevant supervisory authority within the timeframes required by applicable law.

Data protection inquiries

For any DPA request, compliance question, or security review:

EVED SAS Β· 1 Rue de Stockholm, 75008 Paris, France

contact@eved.ai