Privacy Policy
RadSwift — Cloud Ultrasound Service · Version 1.0
📡 RadSwift processes imaging data from your PACS via an encrypted cloud pipeline. Data is retained for a maximum of 24 hours, then permanently deleted. A Business Associate Agreement (BAA) is available for institutions that require one under HIPAA.
Publisher: RadSwift | Version: 1.0 | Effective: June 10, 2026
Overview
RadSwift ("Service", "we", "us") is a cloud-based workflow automation service that receives ultrasound imaging data from your PACS, extracts measurements using AI, and returns structured report text to your reporting system. This policy describes what data we receive, how we handle it, and how we protect it.
This policy applies to the RadSwift cloud ultrasound service. For the RadSwift DXA desktop application — which processes data entirely locally — see the RadSwift DXA Privacy Policy.
1. What Data We Receive
When a study completes in your PACS and is routed to RadSwift, we receive:
- DICOM imaging data — the ultrasound study images sent via DICOM C-STORE from your PACS to our dedicated Orthanc DICOM server on Google Cloud Platform (GCP).
- DICOM metadata — header information embedded in the DICOM file, which may include patient identifiers (name, DOB, MRN), study date, and referring physician, depending on your PACS configuration.
- Institutional identifiers — your institution's API key and IP range, used for access control and routing.
We do not collect personal information about clinicians or staff beyond what is necessary to operate the service (e.g., the email address provided at setup for support communication).
2. How We Process Data
Imaging data received from your PACS is:
- Transmitted to GCP via TLS 1.2 or higher (DICOM C-STORE on port 4242);
- Processed by our AI pipeline to extract measurement values;
- Used to generate paste-ready report text that is delivered to your reporting system (PowerScribe, Epic, etc.) via an authenticated HTTPS API call;
- Retained on GCP infrastructure for a maximum of 24 hours to support processing, error recovery, and audit logging, then permanently and automatically deleted.
No patient data is stored beyond the 24-hour processing window. We do not use patient imaging data for AI model training, product development, or any purpose other than delivering the extraction service to your institution.
3. Patient Data and HIPAA
Because RadSwift receives and processes DICOM data that may contain Protected Health Information (PHI), RadSwift acts as a Business Associate under HIPAA for institutions that are Covered Entities or Business Associates.
- We provide a Business Associate Agreement (BAA) to institutions that require one — contact us at [email protected] to request a copy before committing.
- We execute a BAA with Google as our sub-processor for GCP infrastructure.
- All access to patient data on our GCP environment is restricted to authorized RadSwift engineers via multi-factor authentication. Patient imaging data is processed automatically by the service — no RadSwift employee reviews individual patient studies.
- You remain responsible for ensuring that routing studies to RadSwift complies with your institution's HIPAA policies and any applicable patient authorization requirements.
4. Data Security
We implement the following technical safeguards:
- Encryption in transit: All data transmitted between your PACS and our GCP infrastructure uses TLS 1.2+. Dashboard access uses HTTPS (port 443).
- Encryption at rest: All data stored on GCP is encrypted at rest using AES-256 (GCP default).
- Access controls: Access to our GCP environment is restricted by IP allowlist and requires MFA for all RadSwift personnel.
- Audit logging: All processing events and access to GCP infrastructure are logged with tamper-evident, append-only audit trails retained for 6 years.
- No inbound ports: No inbound firewall rules are required on your network. All connections are initiated outbound from your institution.
5. Sub-processors
RadSwift uses the following sub-processor to deliver the Service:
- Google Cloud Platform (GCP) — cloud infrastructure for DICOM ingestion, AI processing, and result delivery. GCP maintains HIPAA-eligible infrastructure and we execute a BAA with Google as our sub-processor.
We do not share patient data with any other third party.
6. Data Retention
Imaging data (DICOM files) and extracted measurement data are automatically and permanently deleted from our systems within 24 hours of receipt. Audit logs (which contain event metadata but not patient imaging data) are retained for 6 years in accordance with HIPAA requirements.
7. Changes to This Policy
We may update this Privacy Policy from time to time. Updated versions will be published at radswift.com/privacy-cloud.html with a revised effective date. We will notify active institutions of material changes in advance.
8. Applicable Law
This Privacy Policy is governed by the laws of the State of New York. If you are located in the European Economic Area or United Kingdom, you may have rights under the GDPR or UK GDPR — please contact us to discuss your specific situation.
9. Contact Us
For privacy questions, BAA requests, or security documentation, contact:
- RadSwift
- [email protected]
- www.radswift.com
Last updated: June 10, 2026