Built for the people who have to say yes.

PulseMD is not an EHR and does not require access to your EHR or structured personal and special category data to operate. Signals are minimized, de-identified and aggregated. We execute a Data Processing Agreement with every customer, handle any incidental personal and special category data under full UK GDPR and the Data Protection Act 2018 safeguards, and never use personal and special category data to train models.

We state our true current posture, for example, “ISO 27001 (report available under NDA)”, and never display a certification we don’t hold. Additional attestations are on the roadmap as each market requires.

Encryption in transit and at rest, UK data residency, defined retention, and role-based access control with SSO. The specifics are documented in the evidence pack and confirmed before publication.

Models support leadership pattern-spotting with a human in the loop on any action. No personal and special category data is used to train models, and AI-specific terms are covered in a Data Processing Agreement.

Individual signals are minimized, de-identified and aggregated into unit- and theme-level patterns. PulseMD never identifies, tracks or scores an individual, with re-identification safeguards by design.

A current sub-processor list is maintained for procurement review. Because PulseMD doesn’t need the EHR or structured personal and special category data to do its job, the data it touches, and the risk it carries, is deliberately small.