Corpus
Menu
For you For companies For physicians Demo How it works Security Pricing Recover my record

Security & trust

The vault we can’t open.

Health data is too important to monetize behind your back. Corpus is built so that trust is a property of the architecture — not a promise you have to take on faith.

Recover my record
§01

Key custody

Your key never leaves your device.

With end-to-end encryption enabled, your records are encrypted with a key only you hold. Corpus stores ciphertext — we cannot read, sell or leak what we cannot decrypt.

Your device master key ciphertext only Corpus storage 9f3a··e1 7c··b2 a4··dd 02··9c f1··6e no plaintext, no key Analysis runs on your device, or in an isolated session erased afterwards. name never sent
Exhibit A · Patient-held key custody — ciphertext stored, plaintext never transmitted

When analysis is needed, it runs where the plaintext already is: on your device, or in an isolated session that is destroyed afterwards. Your identity is never sent to a third-party model. (We’ll be explicit on this page about what runs on-device today versus what’s on the roadmap — no hand-waving.)

Secure my records now →
§02

Emergency access

If something happens to you, the right person can still help.

You can grant a trusted physician or relative time-limited, read-only access that activates only if you don’t decline within a window you set — and every access is logged. You stay in control the whole time.

  1. 1

    You nominate

    Pick a trusted physician or relative and set a wait window.

  2. 2

    They request

    In an emergency they ask to unlock your record.

  3. 3

    You can decline

    You’re notified and can block it anytime in the window.

  4. 4

    Time-limited read

    If you don’t decline, they get read-only, audited access.

Exhibit B · Time-limited, patient-triggered emergency access protocol
§03

Data fidelity

Trustworthy because it’s traceable.

A record is only useful to a clinician if they can trust where it came from. Corpus keeps provenance on everything and is explicit about what it is — and isn’t.

PROVENANCE Every field carries its originating document, provider, date and original format. Nothing is a black box.
CORRECTIONS See something wrong? Flag it. We re-check against the source and correct or annotate it, with the history kept.
SCOPE Corpus compiles and retrieves your records. It does not verify clinical accuracy — interpretation stays with your licensed provider.
§04

Ownership & governance

Aligned with you, by construction.

NO DATA SELLING Subscription-only. We never sell, broker or advertise against your records. Any sharing is opt-in and on your terms.
YOURS TO TAKE Full export in open formats (FHIR R4 + your raw files) anytime. If Corpus ever winds down: 90 days’ notice and a complete export.
EU DATA RESIDENCY Records are held in the EU. We publish our sub-processors and offer a GDPR-compliant DPA to organizations.
AUDITED & DELETABLE Access is logged. You can exercise erasure (GDPR Art. 17); we honor retention and deletion on request.

Not a medical device. Corpus organizes and surfaces your records and relevant research. It does not diagnose, triage clinically, or replace professional judgment, and it never suppresses an escalation. We are pursuing recognized security and privacy standards (e.g. SOC 2, ISO 27001, and C5 in Germany) — stated here as commitments on our roadmap, not certifications we already hold.

Recover my record →

Start recovery

Recover my record

Where should we start? We file the first requests; you hold the key. We reply within two business days.

I’m enquiring…

What happens next: we reply within two business days. Onboarding is a one-time identity check (about five minutes — the video is never stored) and a tap to select your insurers; we take it from there.