// Trust & Security Report

    Ada Health GmbH logo

    Ada Health GmbH

    Ada Assess (symptom assessment AI with medical guidance) and Medical Library. Consumer app and enterprise versions. Ada Assess is a Class IIa medical device under EU-MDR.

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    Certified with the quality standard for information security

    Verify on ada.com
    ISO 13485
    HELD

    Certified quality management system [for medical devices]

    Verify on ada.com
    GDPR
    HELD

    Ada implements technical and organisational measures required by Article 32 GDPR and obtains ISO 27001 certification for its information security management system. Ada is EU-GDPR compliant.

    Verify on ada.com
    EU-MDR
    HELD

    Ada Assess is classified as a Class IIa medical device according to regulation (EU) 2017/745

    Verify on ada.com
    HIPAA
    HELD

    HIPAA Compliant badge displayed on enterprise health systems page. Company complies with HIPAA standards for US enterprise deployments.

    Verify on about.ada.com
    > Show 1 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    No mention of SOC 2 certification found on ada.com security, privacy, or compliance pages despite detailed security documentation.

    source: ada.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    EU (health data stored in EU on AWS EMEA S.A.R.L. in Luxembourg and Google Commerce Limited in Ireland)

    Ada uses anonymized real world user data such as anonymized past assessment data for developing AI/LLM capabilities. Company follows high standards and strict procedures to ensure anonymization meets GDPR requirements.

    // Security controls

    Data encryption

    Encryption of personal health information

    ada.com

    Data separation

    User details separated from health information, each stored separately in servers within the EU

    ada.com

    Security by design

    Integrated throughout product lifecycle

    ada.com

    Penetration testing

    Regular penetration testing to identify vulnerabilities

    ada.com

    Physical security

    Physical security controls at offices

    ada.com

    Employee training

    Employee security training through Global Compliance & Ethics Department

    ada.com

    Audits

    Both external and internal audits for regulatory compliance

    ada.com

    Data residency

    Health data always stays in EU; personal data processed by AWS EMEA and Google Ireland

    ada.com

    Data Protection Officer

    Designated DPO: dpo@ada.com; Supervisory authority: Berlin Data Protection Authority

    ada.com

    // Products & data scope

    Ada Assess (Consumer)Health AI / Symptom Assessment

    data: User health data, symptoms, medical history

    Class I medical device. GDPR-compliant. Uses anonymized data for AI training with user consent. Free consumer application.

    Ada Assess (Enterprise)Health AI / Clinical Decision Support

    data: Patient health data, EHR integration via FHIR

    Class IIa medical device under EU-MDR. Offered to health systems and life sciences. HIPAA-compliant deployment option available. Secure EHR/CRM integration.

    Medical LibraryHealth Information / Content

    data: Health education content, no sensitive user data collection

    Educational resource. Grounded in latest medical research and peer-reviewed studies.

    // What to watch

    • HIPAA certification is mentioned on enterprise pages (health systems, enterprise) but NOT on the main security page. Confidence is high that HIPAA-compliant versions exist for US enterprise deployments, but BAA documentation not found on ada.com—confirm BAA availability with sales team.
    • SOC 2: No evidence of SOC 2 Type 1 or Type 2 certification found despite detailed security disclosures. If claimed elsewhere, verify independently.
    • GDPR DPA: Offered for enterprise customers; confirm specific terms during procurement.
    • Medical device classification (EU-MDR Class IIa for Ada Assess) is a strength signal for clinical safety but may not apply to all product variants or use cases.

    // At a glance

    Pricing model

    Freemium consumer app; enterprise licensing for health systems and life sciences partners

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ada Health GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    ada.com

    > Browse all vendor trust reports