Security and compliance
Version 1.2 · in force since 2026-05-13 · last updated 2026-05-17
neonatae. is a structured communication channel between parents and the pediatrician. We process the health data of minors, and for that reason security is not an optional layer: it is the foundation of the architecture. This page describes exactly how we protect data, which standards we follow, and when independent certifications will arrive.
Who can see your child's data
In plain language, before the technical detail:
- Your pediatrician sees only the children in their own practice. They cannot see other pediatricians' patients. This limit is enforced by the database, not just by the application.
- You, the parent, see only your own children and your own conversations. You cannot see other families.
- Neo, the AI assistant, processes messages to compose the clinical intake but never receives surnames, tax codes, email addresses or the parent's identity (see the dedicated section below).
- neonatae. as a company: to run and maintain the service, technical staff have administrative access to the infrastructure. We are an early-stage company and today that access is restricted to a single person, the founder. We do not hide this: unlike a large company we cannot say "99% of staff cannot access the data". What we guarantee is different and verifiable: every access to clinical data leaves a row in an append-only audit log, and the appointment of an independent external DPO is on the roadmap (Q2-Q3 2026). Our defense is not "there are many of us", it is "everything is logged".
- No one else. No advertisers, no data brokers, no commercial third parties. The full list of technical providers that process data on our behalf is public at /legal/subprocessors.
Encryption and data residency
- In transit: TLS 1.3 mandatory on all communications (HSTS preload enabled). Target SSL Labs score: A+.
- At rest: AES-256 across the entire Postgres database and the clinical-attachment storage. Keys managed by AWS KMS.
- Backups: daily AES-256 encrypted snapshots with 7-day Point-in-Time Recovery. First Disaster Recovery test planned Q4 2026.
- Residency: all data at rest is hosted exclusively within the European Union, AWS Frankfurt region (eu-central-1). The only transient processing outside our own storage is Neo's LLM inference (see the Artificial intelligence section): EU provider, Zero Data Retention, EU Standard Contractual Clauses as the safeguard.
- Push notifications: notification payloads are encrypted per the Web Push standard (RFC 8291) with VAPID keys we generate ourselves. Apple/Google/Mozilla act as opaque relays and do not see the notification content.
Access control
- Database-level Row-Level Security (RLS): every table enforces Postgres policies that restrict visibility row by row. A pediatrician cannot read data of patients not in their panel. A parent cannot read children of other families. Enforced at the Postgres level, not only at the application layer.
- Principle of least privilege: every identity holds only the strictly necessary permissions. The service-role key is used exclusively in controlled server functions.
- Authentication: bcrypt password hashing (cost ≥ 10). MFA active for the Founder; mandatory MFA for pediatricians on the Q3 2026 roadmap.
- Key rotation: the service-role key and Resend API key are rotated annually; within 24 hours in case of an incident.
Medical-legal audit log
Every message sent, every read, every deletion is recorded in an append-only audit_log table: no SQL policy allows UPDATE or DELETE on this table, not even with service privileges.
The pediatrician views their own history at /pilot/pediatra/audit-log. Retention: 10 years (Art. 2946 of the Italian Civil Code and medical-legal practice). Tamper-evident hash-chain integrity on the Q4 2026 roadmap.
Data-subject rights
The GDPR grants rights that neonatae. honors within 30 days of the request:
- access to data (Art. 15);
- rectification (Art. 16) - editable directly from /pilot/me;
- erasure, the "right to be forgotten" (Art. 17) - direct button in the profile;
- restriction of processing (Art. 18);
- portability (Art. 20) - structured export on request;
- objection (Art. 21);
- complaint to the Garante per la protezione dei dati personali (the Italian data protection authority).
Contact: privacy@neonatae.it.
How this differs from consumer chat apps
A clinical conversation on WhatsApp may seem convenient, but it lacks the safeguards essential for medical use:
| Feature | neonatae. | |
|---|---|---|
| Guaranteed EU data residency | Yes - Frankfurt | EU residency not guaranteed by Meta |
| Inspectable medical-legal audit log | Yes, 10 years append-only | No |
| Right to deletion (Art. 17 GDPR) enforced | Yes, DB cascade | On your device, not on Meta backups |
| Clinical/personal separation | By design | Everything in the same account |
| RLS verifiable at DB level | Yes, open schema | Black box |
| End-to-end encryption of content | No (server-side processing); selective E2E roadmap 2027 | Yes (Signal protocol) |
WhatsApp is great for messages between friends. For clinical use, the requirements are missing.
Alignment with recognized standards
neonatae. maintains an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022 and a Privacy Information Management System (PIMS) aligned with ISO/IEC 27701:2019. The current status is self-attested, not yet certified; formal certification is planned for Q1-Q2 2027.
The ISMS/PIMS documents are available under NDA to corporate partners that request them in writing at privacy@neonatae.it:
- Information Security Policy (ISP)
- Data Processing Register (Art. 30 GDPR)
- Data Protection Impact Assessment (Art. 35 GDPR)
- Data Retention Policy
- Incident Response Plan
- Access Control Policy
- Cryptography Policy
- ISO 27001/27701 Self-Assessment Matrix
Artificial intelligence (Neo)
Neo is the clinical-intake and operational-support assistant built into neonatae. It performs seven distinct functions, always under the pediatrician's control:
- Intent classification on every parent message (conversation closure, urgent follow-up, new request). If the parent writes "ok thanks", Neo recognizes the closure and does NOT reopen the intake; the notification to the pediatrician is suppressed to avoid unnecessary interruptions.
- Routing by clinical cluster: 11 protocols (fever, vomiting, diarrhea, respiratory symptoms, rash, inconsolable crying, trauma, abdominal pain, feeding, sleep/behavior, other). Each cluster has questions, age-stratified red flags and a minimum dataset derived from pediatric guidelines (SICuPP, NICE, Schmitt-Thompson).
- Structured intake: Neo asks the parent the protocol questions (3-5, configurable by the pediatrician), then composes a single structured message (cluster, facts collected, red flags, urgency, completeness) ready for the pediatrician. Never a diagnosis, never an interpretation.
- Reply-time estimate bubble (ETA): right after the intake, Neo informs the parent when the pediatrician's reply will arrive (based on availability hours + historical median response time). Outside working hours: it points to the next available slot and shows the emergency number configured by the pediatrician.
- Reply suggestions for the pediatrician: the pediatrician can request 3 short variants above the input. Click, edit, send. The final message is always the pediatrician's. The gap (edit ratio) between suggestion and sent text is tracked for the improvement loop.
- Child clinical memory: Neo reads the clinical history (allergies, chronic conditions, ongoing treatments, the pediatrician's free notes) + the last 5 cluster conversations to recognize recurring patterns (e.g. third fever in two months) and cite them in the handoff. Never used to generate automatic diagnoses.
- Adaptive learning per pediatrician: 17 isolated settings for each pediatrician (tone, urgency thresholds, terminology, photo-request policy, per-cluster opt-out, max turns). A 7-reason feedback loop (clinical error, missed red flag, wrong urgency, too long, too short, wrong questions, wrong tone): each piece of feedback changes Neo's behavior ONLY for that pediatrician on the next turn, never globally.
Non-negotiable guardrails:
- Neo does not diagnose, does not prescribe medication, does not reassure about serious symptoms.
- Pediatric red flags (fever >38°C under 3 months, dyspnea, lethargy, seizures, blood, persistent vomiting, bulging fontanelle, rash + fever, head trauma, severe dehydration) → urgency
emergencyand immediate push, with no further questions. - The pediatrician has a master switch (Neo on/off) and can disable it per cluster (e.g. only for "sleep").
- Push notifications to the pediatrician are gated by Neo: they arrive only when Neo determines the pediatrician needs to act (handoff completed, urgent follow-up, skipped intake). No push on intermediate questions or closure confirmations - fewer interruptions than WhatsApp.
- Every LLM call (full prompt + response + tokens + latency) is recorded in an append-only audit table
ai_interactionswith 10-year retention. - In case of an LLM error, the parent's original message is delivered to the pediatrician unaltered and without delay.
- No surname, tax code, email or parent identity is sent to the model: the parent is always identified as "mother of {name}" and unique identifiers are local pseudonyms (DPIA R-18 mitigation).
Provider: Mistral AI SAS, a French (EU) company. Neo uses two models depending on the task: mistral-large-latest for the quality-critical steps (structured handoff, suggested replies) and mistral-small-latest for fast classification. Mistral runs on the Scale plan with Zero Data Retention enabled: it does not train on our data and retains neither prompts nor completions beyond the single request. Processing is EU-first; Mistral's DPA incorporates EU Standard Contractual Clauses (2021/914) as the safeguard for any processing carried out outside the European Economic Area. Q4 2026 roadmap: fine-tuning on a proprietary feedback dataset (target 500 examples). Q1 2027: self-hosting on proprietary EU infrastructure (Hetzner EU), zero LLM sub-processors.
Bilateral identity-data changes
The child's identifying data (display name, date of birth, sex) can be changed only with the dual consent of parent + pediatrician. One party proposes, the other accepts, rejects or withdraws. The applied change is limited to the identity fields whitelisted by a PostgresSECURITY DEFINER trigger: clinical fields (allergies, conditions, treatments) remain under the pediatrician's exclusive authority.
Every request, decision or withdrawal is recorded in the audit log with a textual reason and pseudonymized actors. The flow eliminates the possibility that one party unilaterally changes the child's identity without a trace (DPIA R-21 mitigation).
Processing sub-processors
The full list of providers that process data on behalf of neonatae. is published at /legal/subprocessors. Any new sub-processors are notified with 30 days' notice to Pediatricians (autonomous Data Controllers of their patients' clinical data).
Incident management and notifications
In the event of a personal data breach:
- containment and triage within 1 hour of discovery (Sev-1);
- notification to the Garante within 72 hours (Art. 33 GDPR);
- notification to data subjects without delay if there is a high risk (Art. 34 GDPR);
- notification to Pediatricians (clinical Controllers) within 24 hours (DPA);
- written post-mortem within 10 business days.
AI transparency and generated content
In line with Art. 50 of EU Regulation 2024/1689 (the AI Act) and the Italian data protection authority's guidance on the disclosure of synthetic content, neonatae. openly states when it uses artificial intelligence:
- Product images and marketing illustrations: some images on this site (e.g. conceptual visualizations of a pediatrician at the screen, product mockups in contexts not yet live) were generated by artificial-intelligence models for illustrative purposes. The working product UI is accessible at any time at the
/pilotpath - what you see there is the real product, not a mockup. - Team and founder photos: photos of the real team members are authentic photographs, not AI-generated.
- The Platform's clinical communication: Neo always identifies itself in chat with explicit labels and a typography distinct from human bubbles: "Neo · data collection" for questions, "Composed by Neo from the mother's answers" for the structured handoff, "Neo · estimated reply" for the ETA bubble, "Neo · identity-data change" for data-change requests. Reply suggestions to the pediatrician are labeled as such and become human messages only after confirmation. The consent for processing the minor's data explicitly includes these processing activities (see /en/privacy § 9).
- Audit log: every interaction with an AI model (full prompt + response) is recorded in the append-only
ai_interactionstable for medical-legal accountability, 10-year retention. - No AI in autonomous clinical decision-making contexts: Neo does not diagnose, does not prescribe, does not reassure about serious symptoms. The clinical decision always remains with the human pediatrician.
Certification and hardening roadmap
| When | What |
|---|---|
| Q2-Q3 2026 | Appointment of an external DPO specialized in healthcare. Mandatory MFA for pediatricians. Automated RLS test suite. |
| Q3-Q4 2026 | Independent external pen-test. Disaster Recovery drill. Audit-log hash-chain. Sentry + Plausible integrated with PII scrubbing. |
| Q1-Q2 2027 | ISO/IEC 27001 Stage 1 + Stage 2 audit. ISO/IEC 27701 extension. |
| Q2-Q3 2027 | Selective End-to-End encryption for clinical attachments (reports, prescriptions). |
| When applicable | CE Marking MDR Class IIa if/when we add AI decision support (V1 structured human chat is not SaMD). |
Contacts
- Privacy and GDPR rights: privacy@neonatae.it
- Vulnerability reporting (responsible disclosure): security@neonatae.it
- Garante per la protezione dei dati personali: garanteprivacy.it
docs/policy/).