Trust & Compliance

Built for privileged, regulated content.

Medical and legal teams trust Morlivo with patient records, case files, and confidential communications. Here is exactly how that content is encrypted, access-controlled, and kept out of AI training.

AES-256 at rest
TLS 1.2+ in transit
HIPAA BAA available
GDPR-aligned DPA
No AI training on your data
Full audit logging

Made for high-stakes industries

A mistranslated dosage or a misread clause is not a typo -- it is a liability. Our controls are built around that reality.

Healthcare (PHI)

  • We sign a Business Associate Agreement (BAA) before any PHI is processed.
  • Administrative, physical, and technical safeguards mapped to the HIPAA Security Rule.
  • Minimum-necessary access, full audit trails, and breach-notification commitments.
  • AI and regex PII redaction to strip identifiers before processing when you need it.

Legal & professional services

  • Confidential by default -- your content is processed for your request only, never to train models.
  • Tamper-evident audit log of who accessed what, exportable for your records.
  • Translation Validation gives you a defensible QA report on any translation, from any source.
  • Configurable retention and on-demand deletion so files do not linger past their purpose.

Our security controls

Verschlüsselung und Schlüsselverwaltung

  • AES-256 encryption at rest, TLS 1.2+ in transit.
  • Google Cloud KMS with customer-managed encryption keys (CMEK).
  • Per-tenant keys plus a customer-controlled encryption kill switch.
  • Application-level field encryption for the most sensitive data.

Access & authentication

  • Role-based access control with custom and per-project roles.
  • SSO via SAML / OIDC and SCIM 2.0 user provisioning.
  • Enforced MFA, step-up authentication for sensitive actions.
  • Password policy with breach (HIBP) checks, lockout, and refresh-token reuse detection.

Privacy & data handling

  • Your content is never used to train AI models.
  • PII redaction (regex + AI) available on demand.
  • Data Subject Access Requests (DSAR) supported.
  • Configurable retention and on-demand deletion.

Compliance & legal

  • HIPAA Business Associate Agreement (BAA) available.
  • GDPR-aligned Data Processing Agreement (DPA).
  • Sub-processor transparency and consent tracking.
  • Regional data residency controls.

Infrastructure & reliability

  • Hosted on Google Cloud Platform (Cloud Run, Cloud SQL, Cloud Storage).
  • Per-tenant data isolation enforced across every request.
  • Managed PostgreSQL with automated backups.
  • 99.95% uptime target.

Monitoring & response

  • Comprehensive, exportable audit logging of access and changes.
  • Regelmäßige Risikobewertungen und Schwachstellenscans.
  • Breach-notification commitments under our BAA and DPA.
  • Log and error sanitization to keep sensitive data out of telemetry.

Certifications & attestations

We believe in being precise about what we have today versus what is in progress.

Available now

Signed HIPAA BAA, GDPR-aligned DPA, and sub-processor disclosures.

Inherited

We run on Google Cloud Platform, which maintains ISO 27001, SOC 2, and HIPAA-eligible infrastructure certifications for the hosting layer.

On our roadmap

SOC 2 Type II and ISO 27001 for our own application layer. In the meantime we map our controls to both frameworks and will share our control matrix and completed security questionnaires (CAIQ / SIG-lite) under NDA.

Running a security review?

Send us your questionnaire or request a BAA. We turn around vendor security reviews quickly and can sign an NDA first.

See also: Datenschutzrichtlinie · DPA · BAA