It is a question rarely posed explicitly, yet recurring in the reflection of every proprietor prior to signing with a cloud vendor: where does my client record end up?
Each client lab of CadCamCloud is a separate tenant. EU client record, STL files, prescriptions, volumes, order frequencies: everything resides in an isolated logical space. The platform is multi-tenant strict — every database query filters by tenant_id, without exception. No other lab on the platform views your data.
Our administrative console accesses exclusively aggregate system metrics — how many practices are active, in which countries, macro volumes. Such data has a single purpose: to size servers and hosting in line with the platform real workload. Never a name, never an email address, never a file. Every administrative access is recorded in an append-only audit log verifiable by the Enterprise partner upon request.
The infrastructure runs on Hetzner servers, Milan datacentre. No healthcare data leaves the EU perimeter. The cloud storage provider operates in EU datacentres. No American CDN for clinical data, no backup on extra-EU cloud. GDPR by design, not as a cover declaration.
DICOM files (CBCT, CT, intraoral radiology series) constitute PHI — Protected Health Information under Art. 9 GDPR: they contain patient name, identification code, healthcare facility, referring clinician. For this reason DICOM uploads are available exclusively on the Premium and Enterprise plans, where the platform applies a dedicated background antivirus scan with automatic quarantine, a specific PHI notice signed at onboarding and an opt-in anonymisation option on the practice side.
On Basic and Pro plans DICOM upload is not enabled: the platform blocks the flow with an explicit upgrade message. Recognition occurs by extension (.dcm, .dicom, .dic, .ima, .img) or DICM magic-byte, and cannot be bypassed by renaming files of another type. All other formats remain accessible across all plans within the standard limits.
Each submission received generates a PDF/A — ISO 19005 standard, conformant with AGID Guidelines — comprising client record, completed form, attached files with cryptographic checksum, timestamp and unique UUID. The form_data has no post-submission modification endpoint: what has been submitted cannot be altered.
The document is retained for ten years, in line with the requirement EU Regulation 2017/745 places upon the manufacturer of custom-made medical devices. A QR on the PDF refers to a public verification page accessible without authentication.
Daily snapshot of database and storage, thirty-day rolling retention. Off-site backup on a separate EU provider for disaster recovery. Periodic internal restore testing; for Enterprise contracts, independent audit may be agreed in an SLA clause.
For those managing sensitive data in significant volumes (multi-site networks, Enterprise) we may prepare a dedicated technical analysis, a customised DPA and SLA clauses.