Compliance

Patient data
protection

100% local architecture · Zero cloud · GDPR Art. 25 · HDS-Ready

Updated: January 2026

🔒
Local patient data
Reports and patient data never leave your machine. No cloud access to medical data.
🛡️
Zero sub-processing
No cloud host, analytics service, or third party accesses your patients' health data.
🎙️
AI Dictation — Secure API
Sally AI processes audio via PISUM's secure cloud API. Audio is never stored.

01 Data collected by PISUM

PISUM is designed according to the principle of Privacy by Design (GDPR Art. 25). The software distinguishes two fundamentally separate categories of data:

Account data (processed by PISUM SAS)

Data Purpose Duration
Last name, First nameUser account creationSubscription duration + 12 months
Professional emailAuthentication & notificationsSubscription duration + 12 months
License keyActivation & anti-piracySubscription duration
OS / app versionCompatibility & technical supportRolling 12 months
✓ Health data — ZERO collection. Radiology reports, patient data (name, ID, date of birth), medical images, and voice transcriptions are never transmitted to PISUM SAS or any third party.

02 Secure architecture — local data

🔒 Patient data always local

Radiology reports, patient data, and medical images never leave your machine. PISUM does not require an Internet connection for data entry and report export. Only AI features (Dictation, Enhancer) require network access to the secure PISUM API.

🎙️ AI Voice Dictation — secure cloud API

Sally AI voice dictation processes audio in real time via PISUM's secure API. Audio is never stored — only the text transcription is sent back to your local machine. No identifiable patient data is included in the audio streams sent to the API.

HDS Compliance. Medical data remains on your machine. PISUM's AI API only processes dictation audio, never patient data.

03 Sovereignty and telemetry

🛡️ Zero health data sub-processing

Since the software runs isolated on the user's workstation, no third-party sub-processor (Cloud host, analytics service) has access to medical data. Legal archiving and secure storage are the sole responsibility of the institution's RIS/PACS system, ensuring full data sovereignty.

📝 Anonymized application logs

To ensure software stability, PISUM generates local technical error logs. These files are strictly programmed to capture no business data:

  • No patient names, dates of birth, or identification numbers (ID).
  • No medical terms, report content, or voice transcriptions.
  • Only system error codes, loading times, and click events.

04 Patient rights (Art. 15 to 22)

The GDPR guarantees patients the right of access, rectification, erasure, and portability of their data. Given that PISUM retains no data after the application is closed, it is technically impossible to query or delete a patient file within it.

Exercising patient rights. The exercise of these rights must be directed to the Data Controller (the DPO of the clinic or hospital) who will intervene directly on the RIS/PACS or hospital information system (HIS) where the final reports are archived.

05 Contact & DPO

For any questions regarding data protection or to exercise your rights as a user of the PISUM service:

  • Email: support@pisum.app
  • Recommended subject: [GDPR] — your request
  • Response time: 30 days maximum (GDPR Art. 12)

Created by radiologists, for radiologists. 👨‍⚕️