Cloud provider
Carely's compliance, security, and AI architecture.
Hosted in the EU. ISO 27001 certified. GDPR by design. AI inside Carely's controlled environment.
Hosted in the EU on AWS
Frankfurt by default, Zurich by election.
Default region
Frankfurt (eu-central-1)
Swiss storage option
Zurich (eu-central-2)
available under Article 14(2) of the GTC. Switzerland is covered by the European Commission adequacy decision of 15 January 2024, treated as equivalent to the EU for data transfers.
Data residency
Patient data resident
Patient data resident inside the European Union (or Switzerland by election). No transfer to third countries without the safeguards set out in the DPA.
Service architecture
Standard AWS
managed services across compute, storage, and database, operated inside Carely's controlled AWS account.
Continuity
Global and redundant service infrastructure
with full disaster recovery sites. Backups stored in a separate fire compartment. Documented restoration processes.
Data return on termination
Thirty days of read-only access
extendable to seven months on request, with structured exports in CSV, JSON, and PDF/A formats. Aligned with Article 25 of the EU Data Act (Regulation EU 2023/2854).
The clinic is the data controller.
Carely is the data processor.
Patient rights
Carely supports the clinic in fulfilling patient access, rectification, restriction, erasure, data portability, and objection requests under the GDPR.
Breach notification
Carely notifies the clinic within 48 hours of becoming aware of any Personal Data breach, ahead of the standard GDPR 72-hour timeline.
NIS2 cooperation
For clinics classified as essential or important entities under NIS2 (Directive EU 2022/2555), Carely provides cooperation and assistance for incident notification, supply-chain security, and oversight obligations.
Sub-processors, with their region and role:
| Sub-processor | Region | Role | |
|---|---|---|---|
| 1 | Amazon Web Services EMEA SARL | EU (Frankfurt, eu-central-1) | Hosting, compute, default storage |
| 2 | Amazon Web Services EMEA SARL | Switzerland (Zurich, eu-central-2) | Hosting, compute, Swiss storage |
Transfers to the UK and Switzerland are covered by European Commission adequacy decisions. No Standard Contractual Clauses are required for any sub-processor.
AI inside Carely's controlled EU environment.
For the operational view of how the AI works inside the patient engagement layer, see the AI architecture section on the Platform page.
Anthropic Claude via AWS Bedrock
Foundation model access through the AWS managed service, with inference inside the AWS region selected by Carely.
Inside Carely's controlled EU environment
AI inference happens inside Carely's own AWS account in Frankfurt, not over the public internet. Patient data is never sent to OpenAI, Google AI, Microsoft Copilot, or any other public AI service.
No model training on customer data
Patient data is never used to train, fine-tune, or improve foundation models. Anthropic is configured to prevent content retention to the extent supported by the upstream provider.
Three control points the clinic retains:
Limited-risk AI under the EU AI Act
Carely's AI features are configured as limited-risk AI systems under Regulation EU 2024/1689, with compliance milestones taking effect 2 August 2026 already met. They are not used for high-risk use cases including autonomous clinical decisions, diagnosis, triage, treatment recommendation, or autonomous patient monitoring.
Human oversight per Article 14 AI Act
Every AI-drafted output is reviewable and editable before it reaches a patient. Clinical responsibility stays with the clinic.
Transparency per Article 50 AI Act
AI-generated content is identified where required.
Security practices day to day
Encryption at rest
Industry-standard encryption for all health-related data fields.
Pseudonymisation
Health data fields are pseudonymised where technically feasible without impairing functionality.
Encryption in transit
TLS 1.2 or higher across all communications and data transmission.
Secure messaging delivery
Via Infobip, with channel-level encryption and consent enforcement.
Enhanced audit logging
Access and modification events on the patient record, including all access to sensitive health data fields, logged with audit-proof storage.
Service availability
99.9% monthly uptime commitment. Full Service Level Agreement in Schedule 2 of the GTC.
Common questions, answered directly.
A patient engagement platform is the class of tool purpose-built to unify the full patient journey, across acquisition, treatment, and continuity, onto a single first-party data foundation. It sits above the EHR, integrates with it, and orchestrates the communication that holds the relationship together across every phase of care. Industries adjacent to healthcare have had this category for years. In healthcare, it is emerging now, driven by rising patient expectations and the data demands of AI marketing.
A CRM tracks sales activity and customer records. Carely is purpose-built for the three-phase structure of the healthcare journey, including EHR integration, healthcare-specific compliance, and the continuity-of-care workflows that no generic CRM can deliver. The category is different because the journey is different. Patients are not customers, and the relationship continues long after the transaction ends.
Carely is the AI-ready foundation. The platform uses Anthropic Claude via AWS Bedrock, running inside Carely's own EU AWS environment, to draft communication, segment the patient database by natural-language prompt, and surface patterns across the continuous record. Patient data is not sent to public AI services and is not used to train foundation models. EU AI Act compliance milestones are met by August 2, 2026.
Carely is built for healthcare providers across the European Union. The platform fits private clinics, specialty centres, larger groups, and a wider range of healthcare organisations. It is most relevant for providers that compete on patient experience, reputation, and long-term relationships, and that want a compounding first-party data foundation rather than another short-term acquisition channel. Specialties already using or piloting Carely include refractive and cataract surgery, orthopedics, dental, aesthetic medicine, and fertility, with the platform applicable across the wider healthcare landscape.
Patient data is hosted in the European Union on Amazon Web Services. The architecture is aligned with ISO 27001, GDPR-compliant by design, and operated under a Data Processing Agreement that places the clinic as data controller and Carely as data processor. The AI layer runs through AWS Bedrock inside Carely's own EU environment, so no data is exposed to public AI services. Full architectural detail lives on the trust page.