All legal documents

DPIA Summary

Last updated 2026-07-05

Why a DPIA

Curelo processes special-category health data of vulnerable adults at scale and includes AI-assisted features, so a DPIA is appropriate. This summary supports the care provider's own DPIA; we provide a fuller template on request.

Key risks & mitigations

  • Unauthorised access → role-based access, multi-tenant isolation, two-factor authentication, immutable audit trail, session idle-timeout.
  • Data loss → managed Postgres with backups; documented recovery objectives (confirm point-in-time recovery is enabled before real data).
  • Excessive retention / unlawful erasure → retention aligned to the Records Management Code of Practice, with erasure honoured only where lawful.
  • AI over-reliance → AI outputs labelled decision-support only; not a medical device; clinical judgement retained.
  • Third-country transfer → UK/EEA hosting; safeguards for any AI/email sub-processor recorded in the register.

Questions about this document? Contact privacy@curelo.care.