Legal, Privacy, and Compliance

Last updated: September 24, 2025

Here you can find COADIA's key legal, privacy, and compliance commitments for our products and services.

Quick Links

Acceptable Use PolicySubprocessors ListPrivacy NoticeTerms of UseData ConfidentialityContact Compliance

1. Our Role and Data Types

Who We Are

COADIA provides software and services that turn routine clinical conversations into standards ready datasets for real world evidence and clinical research in CNS and psychiatry.

Data We Process

  • Clinical audio and derived transcripts with time stamps, captured with consent
  • Structured features such as symptom mentions, adverse event mentions, and clinical assessments when configured by the client
  • Operational metadata such as user IDs, device type, time stamps, and audit logs

Controller vs Processor

For sponsor projects and provider deployments, COADIA generally acts as a processor or business associate handling data on behalf of the client.

For our public website and marketing tools, COADIA acts as a controller of site visitor data per our Privacy Notice.

HIPAA and BAAs

If you are a covered entity or business associate in the United States, we will execute a Business Associate Agreement upon request as part of contracting.

2. Lawful Basis and Consent

Clinical Capture

We require explicit consent for recording. We provide state aware consent flows and store consent artifacts alongside each session's lineage.

Clients are responsible for using our consent modules in a manner that meets their local legal and institutional requirements.

Website and Marketing

See our Privacy Notice and Cookie Notice for site visitor data, preferences, and opt out options.

3. Data Standards and Provenance

Standards First

COADIA outputs are mapped to CDISC SDTM where applicable and use MedDRA terminology for adverse event concepts, as required or expected in sponsor workflows. FDA programs describe SDTM and ADaM as submission standards, and FAERS uses MedDRA for AE terminology.

Clip to Cell Lineage

Each derived variable links back to the source media time span and transcript token range.

We maintain a machine readable lineage manifest to support audit and reproducibility.

4. Privacy Program

Frameworks We Align To

  • HIPAA Privacy and Security Rules where applicable to client projects in the United States
  • US state privacy laws such as California CPRA for site visitors
  • GDPR and UK GDPR when we act as controller for EU and UK visitors or when clients determine applicability

Data Subject Rights

When COADIA acts as processor, we assist clients in responding to access, correction, deletion, and restriction requests according to the contract.

When COADIA acts as controller for website data, see our Privacy Notice for submission instructions.

Retention

We retain data only as long as needed to provide the service, meet legal or contractual obligations, or as otherwise set forth in the governing agreement and our retention schedule. On expiration, we delete or return client data as directed.

5. Security Controls

Administrative

  • Security and privacy training for all workforce members
  • Background checks where permitted by law
  • Access on the principle of least privilege with role based access reviews

Technical

  • Encryption in transit using TLS
  • Encryption at rest for production data stores
  • Isolated environments for development, staging, and production
  • Fine grained audit logging for data access and configuration changes
  • Network segmentation and firewall rules for production services

Vulnerability and Patching

  • Regular vulnerability scanning and prompt risk based remediation
  • Third party penetration testing at least annually for internet facing components
  • Dependency monitoring and patch management following our change control process

Business Continuity and Disaster Recovery

  • Documented BCP and DR plans with periodic exercises
  • Replication and tested restore procedures for production data stores

Incident Response

  • Triage, containment, eradication, and postmortem with corrective actions
  • Client notification consistent with contract and applicable law

14. Contact

Privacy Questions

privacy@isha.health

Security Questions

security@isha.health

Compliance & BAAs

compliance@isha.health

13. Responsible Disclosure

If you believe you have found a security vulnerability in a COADIA product or site, email security@isha.health with details and steps to reproduce. Do not publicly disclose the issue until we confirm a fix. We will acknowledge receipt and keep you informed.