Trust & Compliance

Version draft v1.1|Last updated: 2026-05-23|Effective: pre-launch

Where psychotherapy.talari.ai stands today — what is already in place, what is being built, and what is on the roadmap. Every commitment is scoped as Live, In progress, or Planned. We will not claim what we cannot evidence.

Pre-incorporation entity. Talari.AI Services is in formation in Poland. The legal-entity form, commercial-register number, and postal address are not yet published because the entity has not yet been registered. We do not display badges for certifications we have not yet earned. Contact trust@talari.ai if you need our current DPA / AVV before signing.

Why this page exists

Psychotherapy notes are some of the most sensitive personal data anyone produces. Under the GDPR, they are special category data(Art. 9). Under German law they are protected by criminal-code professional secrecy (§ 203 StGB). Under Polish law they are protected by professional-secrecy chains in the Psychologist's Profession Act (art. 14 ustawy o zawodzie psychologa) and the Penal Code (art. 266 KK).

psychotherapy.talari.ai is being built so that German and Polish psychotherapists can use AI documentation without weakening any of those protections. This page tells you, in concrete terms, where your patient-adjacent data lives, who can touch it, what we will do if something goes wrong, and which commitments are already in place versus on the roadmap.

If anything on this page is unclear, or if you need a copy of our DPA / AVV before signing, contact us at trust@talari.ai or via the DPO contact in §6.

1. Data location — EU-only, DE primary, PL fallback

Item	State	Detail
Primary processing region	In progress	Germany. Hetzner Cloud (Falkenstein / Nuremberg) is the planned primary. Vendor freeze due before our first production therapist account.
Secondary / disaster-recovery region	In progress	Germany or France. IONOS (DE) or OVHcloud (FR) under evaluation. EU jurisdiction in either case.
Patient-content data centre outside the EU	Never	Architectural commitment, enforced via region-pinning and audit logging.
Patient-content data flow to a US sub-processor	Never	See §8 (Schrems II).
Marketing / website analytics	In progress	EU-resident, cookie-light analytics only; vendor pin pending. No US analytics for any page that handles authenticated session data.

Audit trail. Once region-pinning is live, each request that touches patient-adjacent data will be logged with the region of every component that handled it. Logs are retained per the retention schedule in our DPA / AVV.

2. Encryption

Item	State	Detail
In transit	In progress	TLS 1.3, modern cipher suites only, HSTS preload. End-to-end from therapist client to our application tier.
At rest — application data	In progress	AES-256 disk-level encryption on all primary and replica storage.
At rest — patient-adjacent fields	In progress	Field-level envelope encryption on top of disk-level for any field carrying patient identifiers or session content.
Key management	In progress	Customer-content keys held in a managed KMS pinned to an EU region (Hetzner-EU or IONOS-EU; Schrems-II compliant). No key material crosses the EU border.
Backups	In progress	Encrypted at rest with the same EU-region key hierarchy. Backups never replicated outside the EU.

KMS region-locality statement. No customer-content key is ever materialised, wrapped, or used by a service running outside the EU. This is enforced at the IAM and network layers as part of the region-pinning architecture.

3. Audit status

Item	State	Detail
ISO 27001 / ISO 27701	Planned	Decision deferred until SOC 2 readiness completes. We will not claim either standard before certification.
SOC 2 Type II	In progress	Audit-firm RFP scheduled for Phase 3 readiness (target 2026-07-01 if the budget gate is open). EU-resident or digital-health-experienced firm preferred. We will share the report on request once issued.
TISAX	Planned	Evaluated alongside SOC 2; only pursued if a customer requires it.
Independent penetration test	In progress	Annual external pen test scoped under our security roadmap (gated on architecture lock + Phase 3 budget). Summary letter shareable under NDA.

We will not display badges for certifications we have not yet earned. When SOC 2 Type II is issued, the audit-firm name, attestation-period, and report-availability path will appear here.

4. Incident response

We follow the GDPR Art. 33 / Art. 34 framework.

Item	State	Detail
Notification SLA to controller (the therapist or practice that holds the controller relationship)	In progress	Within 24 hours of confirmed incident, by the channel agreed in the DPA / AVV. This is stricter than Art. 33's 72-hour controller-to-supervisory-authority deadline because we are the processor and you need time to make your own filing.
Notification path to the supervisory authority	In progress	The controller files; we provide the technical breach report needed for the filing. Default targets: BfDI / Berlin LDA (DE), UODO (PL).
Tabletop exercise	In progress	First exercise scoped under our security roadmap; documented residual-risk register.
Status communication	In progress	Live status page at `status.talari.ai` (planned to launch with the first production therapist account).
Subject-rights request handling	In progress	We assist controllers with Art. 15–22 requests; turnaround commitment is captured in the DPA / AVV.

5. Sub-processor list

The canonical sub-processor registry will live at psychotherapy.talari.ai/trust/sub-processors once published. Entries marked pending have Art. 28 AVV/DPA drafted and are awaiting signature; entries marked proposed are not yet finalised (gated on vendor freeze). No sub-processor is engaged until all onboarding steps in the registry process are complete.

Sub-processor	Purpose	Region	Status
Hetzner Online GmbH	Primary infrastructure (compute, storage, network) — patient content + metadata	DE (Falkenstein / Nuremberg)	Pending AVV drafted; awaiting signature
Hetzner Online GmbH (FI node)	CRM platform hosting (self-hosted EspoCRM) — prospect/controller data only, no patient content	FI (Helsinki)	Pending AVV annex drafted; awaiting signature
IONOS SE	Secondary / DR infrastructure	DE	Proposed
OVHcloud SAS	Alternative secondary / DR infrastructure	FR	Proposed
Mistral AI	EU-hosted LLM API for transcript generation; mandatory "no training on customer data" contractual term + zero-retention side letter	EU	Proposed
Anthropic (EU region)	LLM API, second-source — only when EU-region Claude API is generally available	EU	Planned
DPO firm (DataGuard or Proliance)	External Data Protection Officer service	EU	Proposed
Email / transactional comms	Transactional email for account / outreach lifecycle	EU	Proposed
Error monitoring	Application-error telemetry (no patient content payloads)	EU	Proposed

Registry state: 0 engaged · 2 pending · 5 proposed · 0 terminated.

Self-hosted GPU.Deferred until > €500k ARR. Until then, all LLM inference for raw transcripts is performed by an EU-region commercial API with a “no training on your data” contract term and zero retention of user-content beyond what is required to return the response.

Notification SLA on changes. We will notify customers (the controllers) at least 30 days before any new sub-processor begins processing patient-adjacent data, and at least 60 days before any change that affects the data-residency region. Customers may object, in which case we provide either an alternative sub-processor or a migration path; if no alternative is available, the customer may terminate the affected service for cause.

6. Data Protection Officer

Item	State	Detail
External DPO appointed	In progress	Procurement of an external DPO firm (DataGuard or Proliance shortlisted). The DPO will be contracted before any production therapist account is onboarded.
DPO contact for data-subject requests	In progress	Will be published here as `dpo@talari.ai` once the firm is contracted and the mailbox is provisioned. Until then, route requests to trust@talari.ai, monitored by our Compliance Guardian function.
Public registration of DPO with supervisory authorities	Planned	DPO firm files registration with BfDI (DE) and UODO (PL) on contract execution.

We will not assert “we have a DPO” until the contract is executed. This page is updated within 5 business days of execution.

7. DPIA-by-design summary

We do not treat the DPIA as a paperwork exercise filed once and forgotten. psychotherapy.talari.ai is built DPIA-first: every architectural decision that touches patient-adjacent data is evaluated against a residual-risk register before merge.

The full DPIA (Art. 35 GDPR / art. 35 RODO) is maintained internally and made available on request under NDA.

Headline findings from the v1 DPIA:

No high-risk residuals requiring Art. 36 prior consultation with a supervisory authority.
The single residual above Low is the clinical-quality risk that an AI-generated draft might be inaccurate — mitigated by the architectural commitment that the therapist is always the author of record: no draft is filed to a patient record without the therapist's explicit review and approval.
Lawful basis (Art. 6 / Art. 9):controller-side basis is the therapist's professional treatment relationship and the patient's explicit consent (Art. 9(2)(a) / Art. 9(2)(h)). Our processor-side activity is governed solely by the DPA / AVV — we do not process patient content for our own purposes.
No secondary use.Patient content is never used to train, fine-tune, or evaluate any model — neither ours nor a sub-processor's. This is a contractual term with each LLM sub-processor and a hard architectural rule.

8. Schrems II statement

Zero US sub-processors handle raw patient content.

This is a categorical commitment, not a best-effort statement.

All LLM inference on raw therapy-session transcripts is performed by an EU-region commercial API under a contract that prohibits training on customer data and prohibits retention beyond the request lifecycle.
All primary and secondary infrastructure is operated by EU-headquartered providers in EU data centres under EU jurisdiction.
The few US-headquartered SaaS tools we may use (e.g. internal collaboration / observability) do not receive raw patient content and are scoped under appropriate Standard Contractual Clauses with supplementary measures per the EDPB Recommendations 01/2020.
Where a US-headquartered tool offers an EU-data-residency tier, we use that tier in preference to a non-EU one, even at higher cost.
We monitor adequacy decisions and Schrems-style litigation; if the EU–US Data Privacy Framework is invalidated again, the architectural commitment above means our patient-content data flow is unaffected.

9. Customer-facing legal documents

DPA (PL) — Umowa Powierzenia under art. 28 RODO. On request via trust@talari.ai.
AVV (DE) — Auftragsverarbeitungsvertrag under Art. 28 GDPR + § 203(3) StGB conformity. On request via trust@talari.ai.
TOM Schedule (Annex 1 to both DPAs). On request, ships with the DPA/AVV.
Privacy Notice — /legal/en/privacy-policy
Imprint / Impressum — /legal/en/legal-notice

10. Contact

General trust questions: trust@talari.ai
Subject-rights requests (Art. 15–22): trust@talari.ai (will route to dpo@talari.ai once the DPO firm is contracted)
Security disclosure: security@talari.ai (PGP key published once the security mailbox is provisioned)
Postal address: pending entity registration in Poland

11. Revision history

Revision	Date	Change
v1.1 (draft)	2026-05-23	First public draft of the psychotherapy.talari.ai Trust page. Adapted from internal Compliance Guardian source. Pre-incorporation framing.