Therapy data is the most sensitive data a software product can touch. We treat it that way. Here's every commitment we make, with the line of code or contractual clause that backs it up.
All Sorca data is stored in Frankfurt, EU. Patient session data never leaves the European Economic Area. We are a UK-controlled service running on EU-controlled infrastructure.
Firebase EU multi-region (eur3); Vercel Functions pinned to fra1; Anthropic / Google AI endpoints proxied via EU-region edges where supported.
The Session Scribe transcribes audio in your browser via Web Speech API. The audio waveform never leaves the device. Only the transcript reaches our servers, and the transcript is processed in memory and discarded after the note is generated.
app/api/scribe/route.ts processes the transcript in a single request and never writes audio to storage. Verifiable on the network panel.
We never train Sorca or any third-party AI on your data. Our API contracts with Google Gemini and Anthropic enforce zero data retention for the inference layer. Patient transcripts, clinical notes, treatment plans, and letters are excluded from any AI training corpus, ours or theirs.
Gemini API: ZDR via Vertex AI commercial agreement. Anthropic API: Zero retention enforced via API key tier. Documented in the data processing agreement available on request.
Every data-sharing decision (between you and your therapist, between you and Sorca) is explicit, opt-in, and revocable. Consent toggles per category — homework, mood data, pattern alerts, week summary — not a single all-or-nothing switch. You can export everything we hold about you, or delete it, in one click.
GDPR Articles 6 (lawful basis: consent), 15 (right of access), 17 (erasure), 20 (portability), 28 (processor obligations). Full DPA available on request.
Sorca is registered with the UK Information Commissioner's Office as a data processor. We maintain a full Article 30 record of processing activities. Therapists can request a CSV audit log of every read against their consented client roster.
ICO registration number provided in the platform Settings page. Audit log exports via /dashboard/settings → Compliance.
When Sorca detects crisis language in any user input, the response is replaced with verified UK crisis resources: Samaritans 116 123, NHS 111 option 2, Shout SHOUT to 85258. High-severity events also create an urgent alert for the consented therapist (if any) within seconds.
lib/safety.ts crisis pattern set; app/api/sorca/route.ts createCrisisAlert function; verified monthly via synthetic event.
Sorca's outputs (notes, letters, treatment plans, consent forms) are framed around BACP, UKCP, HCPC, and NICE documentation standards. Outcome measures use the NHS-standard PHQ-9 and GAD-7 with IAPT recovery thresholds.
lib/iapt-dataset.ts thresholds match IAPT national standards; clinical letter templates reviewed against BACP guidance; consent forms reviewed against Gillick / Fraser case law for under-16s.
We don't sell ads. We don't sell data. We don't sell research access. Our business model is subscription revenue from therapists and an optional client tier — that is the entire revenue pie. If you stop paying, we delete your data within 90 days.
Privacy policy clause 7. Subscription terms clause 11.
We provide a full Data Processing Agreement, BAA (where relevant), DSP toolkit alignment summary, and ICO registration number to therapists, group practices, and institutional partners on request. Usually within one working day.
Request compliance pack