Vertix.

Compliance Handbook

How we run a clinical AI platform you can defend in front of your counsel

Last updated: May 2, 2026 · Currently available to licensed clinicians in the United States.

This Handbook is the public, plain-English summary of the policies and procedures that govern how Cited treats data, designs its AI, signs contracts, and behaves in the market. It does not replace our Privacy Policy, our Data Protection Statement, our Security overview or our Disclosures page. It complements them by showing you the shape of the underlying compliance program, the regulatory frameworks we comply with, the international standards we align with, and the internal policies we have written to keep ourselves honest.

The detailed internal policies and procedures are kept private because they contain operational specifics that would not assist you and could, in some cases, weaken our security posture if published verbatim. What follows is the substance, in summary form, that any sophisticated buyer or counsel should expect to see before placing patient data in our platform.

1. Why this matters

Cited processes information that is among the most sensitive in healthcare: mental-health Protected Health Information, clinical reasoning notes, transcripts of psychotherapy sessions. This is the category of data the law protects with the most reinforced bases, and the category your patients trust you to handle with discretion. Our compliance program is built around that responsibility. The platform is not optimised for growth at the expense of patient privacy; it is optimised so that you can defend any clinical decision Cited supports before a board, a payer, an attorney, or a regulator.

2. Regulatory frameworks we comply with

2.1 United States · federal

  • HIPAA Privacy Rule (45 CFR §§164.500-534), the framework that governs the use and disclosure of Protected Health Information by Covered Entities and their Business Associates.
  • HIPAA Security Rule (45 CFR §§164.302-318), the administrative, physical and technical safeguards required for electronic Protected Health Information.
  • HIPAA Breach Notification Rule (45 CFR §§164.400-414), which sets the timelines and content for notification to affected individuals, the Department of Health and Human Services Office for Civil Rights, and, where applicable, prominent media.
  • 21st Century Cures Act §3060 (codified 21 USC §360j) and the FDA Final Guidance on Clinical Decision Support Software (March 2026), under which Cited qualifies as non-device CDS: we do not diagnose, our recommendations are transparent and source-cited, and we expect every clinician to apply independent judgement.
  • Anti-Kickback Statute (42 USC §1320a-7b) and Stark Law (42 USC §1395nn), which we keep in mind whenever the platform interacts with federal-program providers, referrers or partners.
  • EKRA (18 USC §220), which we treat as a hard gate before any engagement involving substance-use-disorder treatment referrals.
  • FTC Endorsement Guides 2026, which apply to anyone who promotes Cited under our affiliate programme.
  • 42 CFR Part 2, additional confidentiality protections for substance-use-disorder records, applied as a layer above HIPAA when those records are present.

2.2 United States · state-level

We track and operationalise the leading state privacy regimes so that a single internal procedure satisfies them simultaneously. Currently in scope: California (CCPA / CPRA, CMIA), Colorado (CPA, Colorado AI Act SB 205 effective February 2026), Virginia (CDPA), Utah (UCPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Delaware (DEPA), Washington (My Health My Data Act), Illinois (BIPA for biometric data), and New York (SHIELD Act). Where state law imposes a stricter floor than federal HIPAA, the stricter floor governs. We track PSYPACT status across states and we surface state-specific mandatory-reporting nuances inside the product so the clinician is never the last to know.

2.3 Andorra · jurisdiction of the controller

Cited is operated by a company established in the Principality of Andorra. As a result, our processing is also subject to the Llei qualificada 29/2021 de protecció de dades personals(LQPDP), as amended by Llei 12/2024, and to its implementing Decret 391/2022. Supervision rests with the Agència Andorrana de Protecció de Dades (APDA). The full Andorran-law disclosure lives at /data-protection; what matters here is that the substantive obligations of the Andorran framework are materially equivalent to the obligations we already discharge under HIPAA, and we run a single procedure that satisfies both. Where the Andorran obligation is stricter (for example, the seventy-two-hour breach-notification window to the APDA), the stricter timeline governs.

2.4 Out of scope · explicitly

The European Union General Data Protection Regulation does not apply to Cited, because Andorra is not an EU member state and we do not currently target the EU market. If we ever do, this Handbook will be updated and the relevant obligations will be activated. Until then, any vendor questionnaire that asks us about "our GDPR compliance" receives the same answer: we comply with the controller's Andorran framework and with the product's US framework, both of which are stricter than what GDPR requires for non-EU residents.

3. International standards we align with

We align our internal management systems with the relevant ISO standards. Alignment is documented through internal policies that mirror the standard's clauses; certification, where pursued, is a separate process described in our Security overview.

  • ISO/IEC 27001:2022 · Information Security Management System. Ninety-three Annex A controls organised across four themes (organisational, people, physical, technological), implemented inside our platform and operations.
  • ISO/IEC 27701:2019 · Privacy Information Management System, extending the ISMS with controller-specific and processor-specific privacy controls.
  • ISO/IEC 27017:2015 · Cloud-specific information security controls.
  • ISO/IEC 27018:2019 · Protection of Personally Identifiable Information in public cloud.
  • ISO 27799:2016 · Information security management in health.
  • ISO/IEC 42001:2023· AI Management System. The first international standard specific to AI, and central to how we govern Cited's clinical reasoning models, guardrails, citation enforcement and safety classifier.
  • ISO/IEC 23894:2023 and ISO/IEC 38507:2022 · cross-references for AI risk management and AI governance.
  • ISO 37301:2021 · Compliance Management System (replacing ISO 19600). The umbrella under which the rest of the program runs.
  • ISO 37001:2016 · Anti-Bribery Management System, applied to our gifts and hospitality, our affiliate programme, and our healthcare-sector interactions.
  • ISO 31000:2018 · the Risk Management methodology we use in the Risk Register.

4. Our internal policies, in summary

We maintain sixteen internal Policies and Procedures (PP-00 to PP-15) that operationalise the frameworks above. Each policy is reviewed annually and on any material event. The list below is the public summary; the full text is private.

PP-01 · Data Protection Policy

The master policy. States our lawful bases for processing, the dual role we play (Controller for clinician account data, Processor for Patient PHI under BAA), the cross-border safeguards for the Andorra-to-US flow, the documentation we keep, and the annual review cadence.

PP-02 · Records of Processing Activities (RAT)

Our internal inventory of every distinct Processing Activity, with purpose, lawful basis, data categories, recipients, retention, and cross-border status. It is the document the APDA can request during an inspection.

PP-03 · Data Subject Rights Procedure

How we handle access, rectification, erasure, restriction, portability and objection requests under both the LQPDP and HIPAA. A single inbox at [email protected]; a substantive response within one month, extendable by two months for complex cases with explicit notification; identity verification kept proportionate; refusals always reasoned and always pointing to the APDA complaint right.

PP-04 · Personal Data Breach Notification

Detection, triage, severity assessment, dual notification protocol (APDA within 72 hours; HIPAA Business Associate to Covered Entity without undue delay; Covered Entity to OCR within 60 days; immediate notification when 500 or more individuals are affected). Annual tabletop exercise. Permanent breach register with chain-of-custody protections.

PP-05 · Data Retention and Deletion

Retention periods aligned to the longest applicable jurisdiction: seven years for PHI, six years for accounting and breach records, rolling thirty days for backups, immutable retention for chain-of- custody audit logs, deletion to NIST SP 800-88 standard with certificates of destruction available on request.

PP-06 · Security Safeguards

AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication, role-based access control with least-privilege defaults, hash-chained audit logs, quarterly vulnerability scans, annual third-party penetration testing. The full picture lives at /security; the underlying controls map one-to-one to ISO 27001:2022 Annex A and to the HIPAA Security Rule.

PP-07 · Subprocessor Management

Every subprocessor that handles PHI signs a BAA. The current and planned list is published at /security#subprocessors. We give thirty days’ advance notice before adding any new subprocessor that will handle PHI.

PP-08 · Data Protection Impact Assessment

Required by article 35 LQPDP for high-risk processing. We have a worked example for the production processing of US clinical PHI, and a parallel checklist for the Colorado AI Act algorithmic impact assessment effective February 2026. Where high residual risk persists we conduct prior consultation with the APDA, whose response time is eight weeks, extendable by six weeks in complex cases.

PP-09 · Data Protection Officer Designation

We have an internal Data Protection Officer with documented conflict- of-interest safeguards (functional segregation, audit trail of decisions by role, optional annual external review, structured re-evaluation as the team grows). The DPO is filed with the APDA within ten business days of designation, in Catalan, through the official form at apda.ad/alta-de-dpd. Contact at [email protected].

PP-10 · Information Security Management System (ISMS)

Implements ISO 27001:2022 with the Annex A control catalogue, plus the cloud-specific guidance of ISO 27017, the public-cloud PII protections of ISO 27018, and the healthcare-specific guidance of ISO 27799. The ISMS lives in the same physical perimeter as our production platform; it is not a paperwork exercise.

PP-11 · Privacy Information Management System (PIMS)

Implements ISO 27701:2019 over the ISO 27001:2022 base. Maps every privacy control to its LQPDP and HIPAA equivalent. Recognises our dual role as Controller (for clinician account data) and Processor (for patient PHI under BAA) and applies the right control set to each.

PP-12 · AI Management System (AIMS)

The most material policy for a clinical AI vendor. Implements ISO/IEC 42001:2023, with cross-references to ISO 23894 and 38507. Covers the AI lifecycle, training data, bias auditing, citation enforcement as a critical safety control, mandatory guardrails on suicidal ideation and controlled-substance content, prohibition of training on customer data, model versioning for reproducibility, and a release checklist that confirms the four FDA non-device CDS criteria are still satisfied.

PP-13 · Speak-Up Channel and Whistleblowing

A confidential, encrypted reporting channel for anyone who suspects a compliance breach inside or around Cited. Anti-retaliation protections under the Andorran Codi Penal, US Sarbanes-Oxley §806, the False Claims Act and the leading state retaliation statutes. Reach us at [email protected].

PP-14 · Gifts, Hospitality and Anti-Bribery

Aligned with ISO 37001:2016. Hard limits, mandatory pre-approval above threshold, a written register, and a complete prohibition on anything that could constitute a kickback under the Anti-Kickback Statute when the recipient is a federal-program healthcare provider.

PP-15 · Quarterly and Annual Compliance Attestation

Each quarter we sign a written attestation covering the prior period across data protection, security, anti-bribery and Speak-Up. Each year we conduct a formal Compliance Undertaking with internal audit and a management review under ISO 37301:2021 §9.3, ISO 27001:2022 §9.3 and ISO 42001:2023 §9.3. Records are immutable, hash-chained, and retained for seven years.

5. Risk register and control catalogue

We maintain an active Risk Register with twenty-nine identified risks across seven categories (privacy, information security, AI system, commercial structure, referrer programme, regulatory compliance, operational) and a Control Catalogue with fifty-nine controls mapped to ISO clauses and legal citations. The methodology follows ISO 31000:2018. The Register is reviewed quarterly.

6. Independent assurance

  • SOC 2 Type II · audit in progress, target Q3 2026. See /security for current status.
  • NIST AI RMF 1.0 and NIST CSF 2.0 · we operate aligned with both frameworks, including the NIST Cybersecurity Framework Profile for AI published December 2025.
  • CSA STAR Level 1 · planned publication of our Consensus Assessments Initiative Questionnaire in the Cloud Security Alliance registry.
  • Penetration testing · annual, third-party, executive summary available to clients under NDA.
  • Vulnerability scanning · quarterly DAST and SAST per release.
  • Bug bounty · responsible disclosure to [email protected].

7. What we do not do

  • We do not train any AI model on customer data, ours or anyone else’s. The reasoning engines are trained exclusively on peer-reviewed literature, clinical guidelines and government clinical sources.
  • We do not accept pharmaceutical, payer or data-broker funding. The recommendation engine ranks evidence by replication and source authority, never by commercial relationship. See /no-conflict-of-interest.
  • We do not provide diagnoses or prescriptions. Every output is framed as supporting information and is accompanied by a verifiable citation; the clinician always decides.
  • We do not run a patient-facing chatbot. Cited is a B2B platform for licensed clinicians.

8. How to contact us

Privacy and data subject rights: [email protected].
Data Protection Officer: [email protected].
Security disclosures and bug bounty: [email protected].
Compliance procurement and vendor questionnaires: [email protected].
Conflict-of-interest disclosures: [email protected].
Postal mail: THE HUB INITIATIVE SLU, Avinguda Doctor Mitjavila 26, AD500 Andorra La Vella, Principality of Andorra.

9. Document version

This Handbook is version 1.0, effective 2 May 2026. Substantive updates are tracked internally and surfaced here within thirty days of effective date. The version history of all internal Policies and Procedures is maintained in a private register; material changes that affect this Handbook, the Privacy Policy, the Data Protection Statement or the Disclosures page are reflected on those public pages within thirty days.

Questions about this document? Reach our compliance team.

Contact complianceBack to home