TRUST & SECURITY

Trust is not an afterthought.

PCD CareHub builds infrastructure for healthcare. Compliance, data security, and AI governance are not afterthoughts — they are embedded in the architecture. This is our public accountability, organized by topic.

NEN 7510 principles
ISO 27001 principles
GDPR-by-design
EU data
Wegiz-ready

COMPLIANCE & CERTIFICATION

Status by standard and framework

NEN 7510: Operations aligned with NEN 7510 principles. Formal certification targeted for Q1 2027.
ISO 27001: Information security policy active. Formal certification targeted for Q1 2027.
AVG / GDPR: ROPA and DPIA maintained current per data stream. DPA available upon request.
Wegiz: Architecture and data flows are Wegiz-ready; legal safeguards established per implementation.
EHDS: Interoperability via FHIR R4 and open standards — EHDS-ready by design.
AI Act: High-risk AI system classification mapped; governance framework active.

Formal NEN 7510 and ISO 27001 certification is in preparation, targeted for Q1 2027. In the meantime, we demonstrably operate in accordance with the principles of both standards. Underlying documentation — including DPA, sub-processor overview, DPIA template, incident response procedure, and security policy — is available upon request under NDA. Questions? Please reach out via info@pcdcarehub.com.

DATA & INFRASTRUCTURE

Where your data resides and flows

Encryption

Data at rest encrypted with AES-256. Data in transit via TLS 1.3. Key management isolated per environment.

EU data processing

Primary database located in the EU (Frankfurt). No health data processed outside the EU. EU region is a hard requirement in our vendor selection process.

Audit logging

Every data access and modification is traceable. Logs are retained in accordance with GDPR retention periods and are available for audit.

ROPA & DPIA

Record of Processing Activities (ROPA) and Data Protection Impact Assessments (DPIA) are actively maintained per data stream.

Sub-processors

Party	Role	Data region	Notes
Vercel Inc.	Hosting & CDN	US / EU edge	EU region active; no PHI processed on edge nodes.
Supabase Inc.	Database & authentication	EU (Frankfurt)	Data at rest in EU; row-level security enabled.
Resend Inc.	Transactional email	US	No health-related data in email content; SCCs applicable.

Standard Contractual Clauses (SCCs) apply where data is processed outside the EU. DPA/data processing agreement available upon request.

AI GOVERNANCE

AI with a human in the loop

Human-in-the-loop

Clinical and high-risk applications always require a human review step. AI supports decision-making; it does not make decisions.

AI Act-ready

High-risk AI systems (EU AI Act Annex III) are classified, documented, and monitored in accordance with governance requirements.

GDPR Art. 22

No automated decisions with legal effects on individuals without explicit human oversight and the right to explanation.

INCIDENT & CONTACT

What happens when something goes wrong

Incident response

In the event of a data breach, affected controllers and — where required — the Dutch Data Protection Authority will be notified within 72 hours in accordance with GDPR Art. 33 and 34.

Security disclosure

Vulnerabilities may be responsibly disclosed via info@pcdcarehub.com. We respond within 5 business days and collaborate transparently toward a resolution.

FOR AGENTS & INTEGRATORS

Machine-readable truth layer

AI agents, integration partners and compliance auditors read the same facts as humans — only structured. The endpoints below give direct access to our status, claims and metadata without a crawler having to parse HTML first.

/api/site-context.json: JSON snapshot with organisation facts (KvK, founding, team Wikidata IDs, compliance status, EHDS claim). Refreshed on every deploy.
/llms-full.txt: Full markdown export of insights, cases and core pages — intended for LLM ingest instead of page-by-page crawling.
/llms.txt: Short index of what can be found here, in markdown — comparable to robots.txt, but for LLM crawlers.
/sitemap.xml: XML sitemap with all public URLs per locale (NL/EN/DE) and hreflang alternates. Registered in robots.txt.

All endpoints are public and stable. Changes are communicated via release notes.

Need a DPA or data processing agreement?

For healthcare organizations and partners, we prepare a data processing agreement in accordance with GDPR Art. 28. Get in touch and we will arrange this prior to the start of any collaboration.

GDPR Art. 28
DPA on request
NDA possible

Send a message →

COMPLIANCE QUESTIONS?

Transparency is not a barrier.

Send a message or schedule a call. We address compliance questions openly and work under NDA upon request.

Send a message Read the ESG statement