Trust Centre

Mosaic Health AI is designed for healthcare communications teams that need to create high-quality, compliant scientific content.

We take security, privacy, and ethical AI use seriously – ensuring every automation remains transparent, traceable, and under human control.

Our approach follows three core principles:

• Security by Design – protection built in from day one.
• Privacy by Default – data minimised and encrypted throughout.
• Human Oversight – AI enhances, never replaces, expert review.

We protect data through layered, proactive measures based on global standards.

Data Ownership

All data uploaded to Mosaic remains the property of the client. Mosaic processes data solely to provide platform functionality during the pilot.

Data Residency

Data is stored within the UK/EU region via Render (on AWS infrastructure).

Encryption

• In transit: TLS 1.2+
• At rest: AES-256

Data Retention

Data is deleted within 30 days of pilot completion or on request.

Subprocessors

Client data is never used to train or fine-tune AI models.

Access Control

• Role-Based Access Control (RBAC)
• MFA for admin access
• Regular access reviews

Network Security

• HTTPS enforced across all endpoints
• API tokens with expiry and scoped permissions

Incident Response

• Based on NIST framework
• Incidents triaged and contained within 4 business hours
• ICO notified within 72 hours if required

Backup & Recovery

• Cloud-native encrypted backups
• Tested restoration procedures

Downloadable Policies

• Information Security Policy
• Encryption Policy
• Data Handling Policy
• Incident Response Policy
• Third-Party Access Policy

Mosaic aligns with major international frameworks:

Our AI practices focus on transparency, traceability, and human control.

Key Principles

• Human-in-the-loop: All Mosaic outputs are reviewed before use.
• Transparency: AI-generated drafts are auditable and reference-linked.
• Ethical Boundaries: Mosaic does not process personal health data or make clinical decisions.
• Third-Party Models: We use OpenAI's GPT models via API — never trained or fine-tuned on client data.
• Governance: We adhere to EU AI Act principles for documentation and accountability.

Read our AI Transparency Statement

• Real-time monitoring of access logs and system uptime.
• Regular dependency updates and security patches.
• Security and privacy reviews at least twice yearly.
• Team-wide infosec training and incident simulation exercises.

Mosaic maintains appropriate insurance coverage for the pilot phase:

Certificates available upon request.

Q: Where is my data stored? A: Data is stored in the UK/EU region using Render on AWS infrastructure.

Q: Is my data used to train AI models? A: No. Client data is never used to train, fine-tune, or improve any AI model.

Q: What happens if there is a data breach? A: Mosaic follows a NIST-based Incident Response Plan, with ICO notification readiness within 72 hours.

Q: Can I get a copy of your security policies? A: Yes, summary PDFs are available on request under NDA.

Q: Are you compliant with the EU AI Act? A: Mosaic is classified as a low-risk system under the AI Act and meets all transparency and human oversight requirements.

Last updated: March 2026 © 2025 Mosaic Health AI Ltd – Registered in the United Kingdom

We continuously improve our security posture and update this Trust Centre accordingly.