Privacy Architecture
We monitor the machine.
Not the person.
EmpathyC evaluates your AI's behaviour, detects risks, and alerts you. Your users' messages are encrypted on arrival, never stored readable, and never shown to a human — and no one person here can decrypt them alone.
Never stored readable
User messages encrypted on arrival, kept only as an encrypted blob
GDPR processor, not controller
You retain full data sovereignty
No single-person access
4-of-4 split key — no individual can decrypt alone
How data flows
The whole conversation is scored together — then user and AI content are stored very differently.
User messages
Your app sends conversation
User messages + AI messages + conversation ID
Encrypted on arrival
4-of-4 split key — decryptable only with all four shares, held so no one person can act alone
Decrypted in memory for scoring
The one moment the conversation is readable — decrypted in volatile memory to score it, keys then discarded. Never persisted, never shown to a human.
Stored as encrypted blob
Encrypted at rest — not readable without the full 4-of-4 key
AI messages
Your app sends conversation
Same API call — AI messages separated at ingestion
Scored in context against clinical rubrics
The judge reads the whole conversation to score the AI's replies · Empathy · Reliability · Consistency · Crisis · Boundary · Harmful Advice
Stored in plaintext
Your AI's outputs — content you already own and control
Safety flag triggered
Incident created → immediate alert (email + Slack) → report generated
Your admin reviews incident
Copies conversation ID → looks up user in your system → takes action
What you see in incident reports
Layered disclosure — enough context to act, never enough to violate user privacy.
Incident Report · chat_abc123 · Crisis detected
PDF export- Incident summary
AI-generated, PII-stripped — no user quotes, no sentiment labels on user content
- AI responses
Full text — your AI's output, evaluated against clinical rubrics
- User messages
[User — ***** 08.03.26 03:44]
Timestamp only. Zero content. Always masked.
- Conversation ID
chat_abc123
The bridge — use this to look up the full conversation in your own system
- Resolution timeline
Detected → Alert sent → Acknowledged → Actioned
- PDF export
Immutable audit trail with cryptographic integrity hash
What we don't keep
We store as little about your users as the work allows. What we keep is encrypted and PII-stripped — so a breach of our storage exposes no readable user conversations.
Stored, readable user messages
We don't keep them readable. What's stored is an encrypted blob — database access alone does not surface user content.
Stored PII
We don't extract or store names, emails, phone numbers, addresses, or demographics. Incident summaries are PII-stripped.
Sentiment labels on user messages
Intentional — labelling user emotional states creates false bias risk and is unnecessary for safety evaluation.
A "view full transcript" button
By design. We surface AI messages only. User content is never shown to a human — not in the UI, not in the API.
A single-person way to decrypt
The key is split 4-of-4, so no one person can decrypt alone. Today all four shares are held by us; our roadmap puts one on your side — so we cannot decrypt without you.
Why this architecture matters
Privacy by architecture — not privacy by policy. The difference is enforceable.
GDPR-compliant by design
EmpathyC operates as a data processor, not a controller. You retain full data sovereignty and consent obligations. We process on your behalf.
Liability shrinks structurally
A breach of our storage yields encrypted blobs and PII-stripped summaries — not readable user conversations.
Split-key access — and moving to you
The decryption key is split 4-of-4, so no individual can act alone. Today the shares are held by us; our roadmap puts one on your side — so even a full compromise of our systems cannot decrypt without your participation.
Conversation-ID bridge, not the content
If a court needs the full transcript, they go to your system — where you hold it and the consent. We keep the conversation_id, not readable user content: it's the bridge back to your own records.
Client retains duty of care
You know your users, your context, and your legal obligations. We give you the signal. You make the decision. Deliberate by design.
“We're the smoke alarm, not the fire department.”
We evaluate AI behaviour and alert you to risk. We don't hold user PII, we don't intervene, and we don't make decisions on your behalf. That's not a limitation — it's the right design.
For full legal details see the Privacy Policy and Subprocessor List.