// Trust & Security Report

    GE HealthCare logo

    GE HealthCare

    Caption AI – AI-powered guidance for cardiac ultrasound imaging. Includes Vscan Air SL with Caption AI (handheld device), Venue Family with Caption Guidance (point-of-care systems), and AutoEF (automatic ejection fraction calculation). FDA 510(k) cleared.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    GE HealthCare's Global Information Security Management System is globally certified according to ISO 27001... Certificate Number IS 725196... for Europe remote service delivery and technical support data storage, and remote connectivity provided from their GEHC Data Center in France.

    Verify on gehealthcare.com
    ISO 27018:2019
    HELD

    GE HealthCare's Global Information Security Management System is globally certified according to ISO 27001, 27018 and 27701 standards.

    Verify on gehealthcare.com
    ISO 27701:2019
    HELD

    the company maintains ISO certification to the privacy standard ISO 27701:2019.

    Verify on investor.gehealthcare.com
    ISO 9001
    HELD

    GE HealthCare is certified with ISO 9001... covering the sales, delivery, installation, repairing, servicing, commissioning, and decommissioning of GE HealthCare medical devices and multivendor medical devices.

    Verify on gehealthcare.co.uk
    ISO 13485
    HELD

    GE HealthCare is certified with ISO 13485 covering the sales, delivery, installation, repairing, servicing, commissioning, and decommissioning of GE HealthCare medical devices and multivendor medical devices.

    Verify on gehealthcare.co.uk
    HIPAA
    HELD

    Caption AI technology is completely shielded and follows HIPAA privacy regulations. The AI software can be safely downloaded and is routinely refreshed to guarantee data security.

    Verify on gehealthcare.com
    GDPR
    HELD

    GE HealthCare has developed an efficient GDPR framework... Both GE HealthCare and customers must keep detailed records of processing activities... GE HealthCare adheres to applicable data protection laws, including guidance issued by the French Data Protection Authority (CNIL).

    Verify on landing1.gehealthcare.com
    FDA 510(k) Clearance
    HELD

    Caption AI (Caption Health, GE HealthCare) has received FDA clearance for AI-guided cardiac image acquisition... GE HealthCare signed an agreement to acquire Caption Health... and has demonstrated that individuals without formal echocardiography training can obtain diagnostically interpretable images using AI guidance.

    Verify on gehealthcare.com
    > Show 1 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of GE HealthCare-wide SOC 2 Type 2 certification found. ReadySee (a GE HealthCare product) uses SOC 2-compliant data center infrastructure, but this is a hosting certification, not an organizational certification.

    source: gehealthcare.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary data center in France (Europe). International transfers outside EU use GDPR-compliant standard contractual clauses (Article 46 GDPR). Transfers to countries with lower data protection levels (including US) permitted with contractual safeguards.

    GE HealthCare collects and uses non-personal data for training, development, and continuous product improvement. For EU AI research, data is pseudonymized. GE HealthCare will not sell data or use it to identify customers without consent. Caption AI itself is HIPAA-compliant and shielded from customer healthcare data exposure.

    // Security controls

    Encryption in transit

    Standard TLS/SSL encryption for remote service connectivity and data storage

    gehealthcare.com

    Encryption at rest

    Protected by ISO 27001 and 27002 security controls; France data center provides encryption for remote data storage

    gehealthcare.com

    Vulnerability disclosure program

    Coordinated Vulnerability Disclosure (CVD) program; submit to Cvd@gehealthcare.com

    gehealthcare.com

    Employee security training

    Mandatory annual cyber training program for all employees

    gehealthcare.com

    Security framework alignment

    Skeye cybersecurity solution aligns with NIST Cybersecurity Framework; 24/7 managed security for networked medical devices

    gehealthcare.com

    Medical device cybersecurity

    Product Security Portal providing security advisories, vulnerability notifications, and patch management

    gehealthcare.com

    // Products & data scope

    Vscan Air SL with Caption AIHandheld ultrasound device

    data: Real-time cardiac imaging guidance; patient ultrasound images (HIPAA protected); device sensor data for AI inference

    FDA 510(k) cleared. Handheld device with AI-powered probe positioning guidance and AutoEF calculation. Can be used outside professional healthcare facilities (with environmental restrictions).

    Venue Family with Caption GuidancePoint-of-care ultrasound system

    data: Cardiac imaging data; patient ultrasound images (HIPAA protected); real-time guidance data

    Point-of-care ultrasound systems with AI-powered real-time guidance. Provides step-by-step prompts for probe positioning and quality assessment.

    AutoEFAI analysis feature

    data: Cardiac imaging analysis; calculated ejection fraction metrics

    Automatic calculation of left ventricular ejection fraction from ultrasound views. Integrated into both Vscan Air and Venue Family systems.

    // What to watch

    • SOC 2 Type 2 not publicly confirmed – while ISO 27001:2022 provides comparable controls, SOC 2 is not disclosed (may be in customers' private trust reports). Minor documentation gap given enterprise maturity.
    • Vendor website pages (privacy, security, trust center) return 403 Forbidden due to anti-bot protection. Assessment supplemented with public press releases, investor relations, and third-party documentation (BSI certificate, DQS certifications database). Identity and core certifications verified through multiple sources.
    • AI training note uses term 'non-personal data' without strict technical definition. GE HealthCare states: 'will not sell the data or use it to identify customers without consent', and Caption AI is 'HIPAA-compliant and shielded.' Consistent with privacy-by-design but could benefit from explicit pseudonymization/anonymization detail in customer-facing documentation.

    // At a glance

    Pricing model

    Medical device (enterprise/hospital procurement); pricing not publicly disclosed

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on GE HealthCare's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    gehealthcare.com

    > Browse all vendor trust reports