GDPR Art. 35 · Internal document

Data Protection
Impact Assessment

Formal DPIA for PISUM radiology reporting software. Covers all processing activities involving personal and special-category health data.

Version 1.0 · May 2026 · GDPR Art. 35

01 Context & necessity of DPIA

PISUM is a Windows desktop software for radiology reporting used by radiologists, technicians, and healthcare secretaries. It processes personal data in the context of medical imaging — a field that involves special-category health data under GDPR Art. 9.

Why a DPIA is mandatory

A DPIA is required under GDPR Art. 35(3) when processing is "likely to result in a high risk to the rights and freedoms of natural persons." The following criteria from EDPB Guidelines 4/2019 apply to PISUM:

  • Special category data (Art. 9) — voice audio streams may include dictated medical information about patients.
  • Large-scale processing — PISUM targets clinics and hospitals processing hundreds to thousands of reports per month.
  • Innovative technology — AI voice dictation (Deepgram) and AI text enhancement (Gemini) are newly deployed in a medical context.
  • Third-country transfer — voice audio is transferred to Deepgram (USA) under Art. 49(1)(a).
Legal basis for this DPIA. GDPR Art. 35(1): "Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment."

Scope

This DPIA covers all three processing activities (PA) identified in PISUM v2.x:

  • PA-1 — Account and subscription data management (Supabase)
  • PA-2 — Voice dictation audio processing (Deepgram)
  • PA-3 — Local patient database (SQLite, on-premises)

02 Processing activities overview

ID Activity Controller Processor Location Data category Initial risk
PA-1 Account & license management PISUM Supabase, Inc. EU (eu-west-1) Personal — non-health LOW
PA-2 Voice dictation transcription PISUM Deepgram, Inc. USA → EU return Personal — potentially health-adjacent HIGH
PA-3 Local patient data storage PISUM user (institution) None (local) On-premises workstation Special category — health data (Art. 9) MEDIUM

03 PA-1 — Account & subscription data (Supabase)

Description

PISUM uses Supabase (PostgreSQL, hosted in eu-west-1 / Ireland) to manage user accounts, authentication tokens, license keys, and subscription status. Data stored: full name, professional email, hashed password (managed by Supabase Auth), license key, OS version, subscription tier, and last login timestamp.

Legal basis

GDPR Art. 6(1)(b) — processing necessary for performance of a contract (software license agreement).

Risk analysis

ThreatLikelihoodSeverityRisk levelMitigation
Unauthorized access to Supabase database Low (Supabase SOC 2 Type II) Medium (professional data, no health data) LOW Row-level security (RLS), JWT auth, EU hosting
Email enumeration / account takeover Low Medium LOW Supabase rate limiting, email confirmation, Fernet-encrypted local token storage
Data breach at Supabase (sub-processor) Very low Medium LOW SCC 2021/914 in place; Supabase notifies controller within 72h per DPA

Mitigations implemented

  • Supabase hosted exclusively in EU (eu-west-1 / Ireland) — no third-country transfer required.
  • Row-Level Security (RLS) policies: each user can only access their own profile row.
  • Local auth tokens encrypted with Fernet (AES-128-CBC + HMAC-SHA256) in APPDATA.
  • Supabase has signed Standard Contractual Clauses (SCC 2021/914) — DPA in place.
  • Retention: account data deleted within 30 days of subscription termination upon request.
Residual risk: LOW. No health data is processed in PA-1. Supabase EU hosting eliminates cross-border transfer risk. RLS and token encryption reduce unauthorized access risk to acceptable levels.

04 PA-2 — Voice dictation (Deepgram)

Description

When voice dictation is activated, PISUM streams real-time audio from the user's microphone to Deepgram, Inc. (San Francisco, CA, USA) via WebSocket Secure (WSS/TLS 1.3). Deepgram processes the audio using the Nova-2 Medical model and returns a text transcription. The audio stream is not stored by Deepgram after transcription. No patient identifiers are included in the audio unless explicitly dictated by the user.

Legal basis

GDPR Art. 49(1)(a) — explicit consent for third-country transfer. A dedicated consent dialog discloses all risks (including the Deepgram benchmarking risk) before the first activation. Consent is stored locally with timestamp and version.

The benchmarking risk — specific threat

⚠ Identified high risk: Deepgram benchmarking sharing. Deepgram's data processing policy permits sharing audio recordings with "industry peers" (competitor companies) for model benchmarking and evaluation purposes. Medical audio may include terminology that, in context, is health-adjacent. This represents a material risk that audio could be accessed by third parties outside the DPA relationship.

Status: Risk disclosed in consent dialog (v1.1) and in this DPIA. PISUM is seeking a DPA with Deepgram (security@deepgram.com) that explicitly restricts processing to core service delivery and prohibits benchmarking sharing. Until DPA is signed, users must be warned and must actively consent.

Risk analysis

ThreatLikelihoodSeverityRisk levelMitigation
Audio interception in transit Very low High (medical content) LOW WSS/TLS 1.3 encryption for all audio streams
Deepgram storing audio beyond transcription Low (per Deepgram policy) High MEDIUM Deepgram policy: immediate deletion post-transcription. Audit via DPA.
Deepgram sharing with industry peers (benchmarking) Medium (policy allows it without DPA) High (medical audio) HIGH Explicit consent disclosure; DPA negotiation in progress; manual entry alternative provided
Patient identifiers dictated into audio Medium (user behavior) Very high (Art. 9 data) HIGH In-app warning; consent dialog explicitly warns users not to dictate identifiers; SCC in place
Deepgram data breach (USA) Low High MEDIUM SCC 2021/914 + explicit consent (Art. 49(1)(a)); Deepgram deletes audio immediately

Mitigations implemented

  • Voice dictation disabled by default. Cannot be activated without explicit Art. 49(1)(a) consent.
  • Consent dialog (v1.1) fully discloses: Deepgram (USA), SCC, benchmarking risk, right to withdraw, manual alternative.
  • Consent can be withdrawn at any time from Settings → Privacy, without affecting prior processing.
  • Audio streamed over WSS/TLS 1.3 — encrypted in transit.
  • Deepgram Nova-2 Medical model: audio deleted immediately after transcription per Deepgram policy.
  • Manual text entry available as a zero-transfer alternative.
  • DPA negotiation pending with Deepgram (security@deepgram.com) to restrict benchmarking sharing.
Residual risk: MEDIUM (pending DPA). The benchmarking sharing risk remains MEDIUM until a DPA is signed with Deepgram that explicitly prohibits sharing with third parties for benchmarking. Once signed, residual risk drops to LOW. Current mitigation: explicit user consent with full risk disclosure.

05 PA-3 — Local patient database (SQLite)

Description

PISUM stores radiology reports, patient metadata (name, date of birth, patient ID, study date, modality), and report history in a local SQLite database on the user's workstation. This database constitutes special-category health data under GDPR Art. 9. The institution (clinic/hospital) is the Data Controller for this processing; PISUM acts as a tool (data processor in the local context).

Legal basis

GDPR Art. 9(2)(h) — processing necessary for the provision of health care by healthcare professionals subject to professional secrecy obligations.

Risk analysis

ThreatLikelihoodSeverityRisk levelMitigation
Unauthorized local access (stolen workstation) Medium Very high (Art. 9 health data) HIGH AES-256-GCM database encryption; Windows login required; role-based access control
Unauthorized network access Low (local-only architecture) Very high LOW No network exposure; database never leaves local filesystem
Insider access by unauthorized user Medium High MEDIUM Role-based access (admin/radiologist/technician/secretary); audit log for all accesses
Data loss (hardware failure, ransomware) Medium High MEDIUM Export to PDF/DICOM SR; institution responsible for backup (HIPAA §164.308(a)(7)); PISUM does not manage backups
Residual data in deleted records Low Medium LOW SQLite PRAGMA secure_delete=ON; WAL journal cleared on close

Mitigations implemented

  • AES-256-GCM encryption at rest for the entire SQLite database file.
  • PRAGMA secure_delete=ON — deleted rows are overwritten with zeros (no data remanence).
  • WAL mode (Write-Ahead Logging) for crash safety; journal cleared on application close.
  • Role-based access control enforced at application layer: secretary cannot access all patient records; roles are assigned by admin.
  • Audit log in encrypted database records all data access events (who, what, when).
  • Session timeout: session revoked on application exit, requiring re-authentication on next launch.
  • Foreign keys enabled (PRAGMA foreign_keys=ON) — referential integrity prevents orphaned sensitive records.
Residual risk: LOW-MEDIUM. The primary residual risk is physical theft of the workstation. This is mitigated by AES-256-GCM encryption — a stolen disk without the decryption key is unreadable. Backup responsibility lies with the institution per their own data management policy.

06 Risk summary

Processing activity Initial risk Key mitigation Residual risk Action required
PA-1: Account data (Supabase EU) LOW EU hosting, RLS, SCC, Fernet tokens LOW None
PA-2: Voice dictation (Deepgram USA) — transit & storage HIGH WSS/TLS 1.3, immediate audio deletion, explicit consent LOW None (mitigated)
PA-2: Voice dictation — benchmarking sharing HIGH Full risk disclosure in consent dialog; manual alternative MEDIUM Sign DPA with Deepgram (in progress)
PA-3: Local database (workstation) MEDIUM AES-256-GCM, RBAC, secure_delete, audit log LOW None

07 Residual risk & conclusion

After implementation of all identified mitigations, the overall residual risk profile of PISUM v2.x is assessed as MEDIUM — driven entirely by the Deepgram benchmarking risk (PA-2) which will be reduced to LOW once a DPA is signed with Deepgram.

Outstanding action items

  • [Priority: HIGH] Sign DPA with Deepgram Inc. (contact: security@deepgram.com) — restricting processing to core service delivery and prohibiting benchmarking sharing. Target: within 60 days of this DPIA.
  • [Priority: MEDIUM] Implement in-app warning when user dictates content that appears to include patient name or ID formats (regex heuristic).
  • [Priority: LOW] Evaluate feasibility of on-device STT (Whisper.cpp) as a Deepgram alternative for users with strict data sovereignty requirements.

DPIA review schedule

This DPIA shall be reviewed:

  • Every 12 months, or
  • Upon any significant change to processing activities (new sub-processor, new data category, new feature using personal data), or
  • Following a data breach or security incident affecting personal data.
Conclusion: Processing by PISUM v2.x is technically and legally justified under GDPR. All high-risk processing activities are covered by appropriate legal bases (Art. 6, Art. 9, Art. 49(1)(a)) and proportionate technical safeguards. The one outstanding MEDIUM risk (Deepgram benchmarking) is managed by full disclosure and explicit consent, with an ongoing DPA negotiation to eliminate it. PISUM may proceed with processing.

08 DPO consultation & sign-off

In accordance with GDPR Art. 35(2), the Data Protection Officer has been consulted during the preparation of this DPIA and has provided the following assessment.

DPO opinion

Opinion: FAVOURABLE — subject to one condition.
The DPO finds that PISUM v2.x processing is proportionate, lawful, and based on appropriate legal bases. The DPO endorses the mitigations implemented for PA-1 and PA-3. For PA-2, the DPO endorses proceeding with explicit consent under Art. 49(1)(a) as an interim measure, and requires that a DPA with Deepgram be signed within 90 days of this DPIA date. The DPO will re-evaluate PA-2 upon receipt of the signed DPA.
PISUM
1.0
May 2026
✓ Reviewed — May 2026
support@pisum.app
May 2027 (or earlier if processing changes)

For questions about this DPIA, contact the DPO at support@pisum.app with subject line [DPIA]. The full privacy policy is available at pisum.app/rgpd.html. The DPO designation is available at pisum.app/dpo.html.