EU AI Act compliance
for healthcare AI
AI used in medical diagnosis, patient triage, treatment recommendation, and clinical trial recruitment is classified as high-risk under the EU AI Act. Sovergate provides Article 12 compliant logging stored in Germany — with PII scrubbing before any patient data leaves your infrastructure.
Which healthcare AI systems are high-risk
The EU AI Act classifies medical AI as high-risk, imposing stringent requirements for transparency, data governance, and human oversight. Most software-based medical devices require a conformity assessment by a notified body under the MDR or IVDR.
AI systems that assist clinicians in diagnosing conditions, recommending treatment pathways, or interpreting diagnostic imaging fall under high-risk classification when they influence patient outcomes.
AI used to prioritise patients, assess deterioration risk, or allocate clinical resources is considered high-risk given the direct impact on patient safety.
AI systems embedded in medical devices regulated under the EU Medical Device Regulation (MDR 2017/745) or In Vitro Diagnostic Regulation (IVDR 2017/746) must comply with both those frameworks and the EU AI Act.
AI tools that screen electronic health records to match patients to clinical trials qualify as high-risk under Annex III, requiring logging of all recruitment decisions made in part by the AI.
AI used in drug discovery, pharmacovigilance, and adverse event detection that influences decisions about patient treatment or safety falls within scope.
⚠️ The compliance intersection: AI Act + MDR/IVDR + GDPR
Automatic logging of every AI decision, tamper-evident audit trail, minimum 6 months retention.
Conformity assessment, clinical evaluation, post-market surveillance. Full compliance obligations take effect August 2027.
Patient data is special category data under Article 9. The highest level of protection applies. PII must be minimised before logging.
Sovergate satisfies the Article 12 logging requirement while ensuring patient data never leaves your infrastructure unredacted.
Patient data and PII scrubbing
Sovergate's PII scrubbing runs locally inside your infrastructure before any data is sent to our servers. We detect and redact:
| Data type | Replaced with |
|---|---|
| Patient names | [NAME_REDACTED] |
| Dates of birth | [DOB_REDACTED] |
| National health numbers | [ID_REDACTED] |
| Diagnoses and conditions | [CONDITION_REDACTED] |
| Medication names (with patient identifiers) | — |
| Email addresses and phone numbers | [EMAIL_REDACTED] |
Only the scrubbed version reaches our servers in Germany. Your patients' data never leaves your infrastructure.
Human oversight logging
Article 14 requires human oversight of high-risk AI systems. Sovergate records human oversight events — exactly what a notified body or supervisory authority will expect to see.
- ✓Clinician reviewed AI recommendation: logged
- ✓Clinician overrode AI recommendation: logged with timestamp
- ✓Reason for override: recorded if provided
- ✓Final clinical decision: recorded
What your compliance team gets
A monthly PDF per AI system containing:
- ✓Total AI clinical decisions logged
- ✓PII detection summary — categories detected and scrubbed
- ✓Human oversight events — reviews, overrides, interventions
- ✓Audit trail integrity verification: PASSED
- ✓Data residency: Hetzner, Nuremberg, Germany
- ✓Retention status for MDR/IVDR post-market surveillance
Pricing
- 5 AI systems
- 1,000,000 requests per month
- Monthly Article 12 reports
- Human oversight event logging
- Unlimited AI systems
- Extended retention for MDR/IVDR post-market surveillance
- SLA guarantee
- DPA and data processing schedules included
The December 2027 enforcement deadline
is closer than it looks.
Initializing the Sovergate SDK takes less than 10 minutes. Securing explicit governance sign-off from your corporate internal audit team takes weeks. Deploy the staging proxy today, export your first verification ledger, and clear compliance blockers early.