Compliance posture
For clinical-lab decision-makers and DPO teams
Reading time: ~4 minutes
Genetic History is a push-model software module installed in your laboratory’s own infrastructure. This page explains what that means for data-protection obligations — yours and ours — in terms your procurement and DPO teams can act on without a legal dictionary.
The short version: patient data never reaches Genetic History. It stays in your infrastructure. Genetic History’s obligations under GDPR arise from distributing a software library, not from processing your patients’ genetic data.
1. Architecture: the technical basis for the compliance perimeter
Genetic History does not operate as a cloud API or SaaS platform. Your laboratory installs a software module in your own IT environment. The module processes genetic-variant inputs against a locally stored ancestry-narrative library and returns structured outputs — without any data leaving your perimeter.
Four architecture invariants create the compliance structure:
No runtime data transfer to Genetic History. Once installed and library-synced, the module runs fully offline. No call-home, no telemetry, no usage analytics, no runtime logs reach Genetic History at any point during patient-result processing.
Library updates are one-way. Genetic History publishes versioned library updates at HTTPS endpoints on Scaleway EU (Spain region). Your module syncs on a configurable cadence — weekly by default; monthly or quarterly for stability-conservative environments. Only library content flows toward your module. No patient data flows back.
EU-only hosting. Genetic History’s sync infrastructure operates on Scaleway EU (Spain region) exclusively. No cross-border data transfer mechanism exists in v0.1.
Data stays at partner. Patient data resides in your infrastructure at all stages: ingestion, processing, and output delivery. This is a technical invariant, not a policy commitment — it is auditable by design.
2. GDPR Art. 9 — scope of our engagement
Because patient data stays in your infrastructure, Genetic History’s GDPR scope covers library distribution only — not patient-data processing.
In practice:
Our DPA scope is narrow. Genetic History’s Data Processing Agreement template is scoped to library-distribution only — materially narrower than a typical API-SaaS DPA. It covers the sync-endpoint relationship, not patient-data handling. A pre-drafted, narrowly scoped DPA template is available from the LOI stage onward.
Your Art. 9 obligations remain yours. Your laboratory already holds the patient consent basis for clinical genetic testing. Extending ancestry-narrative output to a patient’s result requires that your consent scope covers this additional use. Genetic History provides consent-language guidance in the DPA template to support your compliance review.
Sub-processor registry. Scaleway (EU, Spain region) is the sole sub-processor in Genetic History’s DPA scope, engaged for library hosting and sync-endpoint infrastructure only.
3. Breach scope and notification
At your site: patient data resides in your infrastructure. A breach involving patient genetic data at your environment falls within your GDPR Art. 33 72-hour notification obligation.
At Genetic History’s side: any breach at Genetic History involves only the library-distribution asset — a versioned software library package. This is not personal data. Genetic History’s 72-hour notification obligation, where triggered, is scoped to this library asset only.
4. Regulatory framework statements
The following positions reflect Genetic History’s current architectural posture combined with established legal-research substrate. Items marked [INTERIM POSTURE] are pending formal validation by Peer 8 Legal/Compliance Counsel (deployment ~2026-05-15..05-25). Peer 8 will confirm, update, or revise these positions with formal legal opinions.
Ley 14/2007 de Investigación Biomédica (Spain) Genetic History operates in the genealogical and wellness context. The module delivers ancestry narratives — not research protocols, biomedical analysis, or clinical-data interpretation. Technical separation between ancestry-narrative generation and biomedical research is enforced by module design. [INTERIM POSTURE: genealogical-scope characterisation pending Peer 8 formal review]
IVDR / MDR Genetic History distributes a non-clinical module. Our scope assertion is that the ancestry-narrative module does not constitute a medical device under IVDR. Your laboratory’s existing MDR/IVDR compliance scope is not affected by this integration — the module operates outside clinical-interpretation scope. [INTERIM POSTURE: non-clinical module label is our scope assertion, not a regulatory determination; Peer 8 formal review post-MVP-live]
EHDS (European Health Data Space, active 2026-03-26) Non-clinical genealogical ancestry framing is likely outside EHDS primary-use data scope. Genetic History does not hold or process health data within the EHDS definition. [INTERIM POSTURE: formal EHDS scope assessment by Peer 8 pending]
EU AI Act EU AI Act high-risk provisions take effect 2026-08-02. Genetic History adopts a transparency-forward posture ahead of this deadline. AI-assisted ancestry-narrative generation is disclosed in module output documentation. Formal risk classification under the EU AI Act is subject to Peer 8 Legal/Compliance Counsel review; no classification is asserted in this document. [INTERIM POSTURE]
Accessibility (EAA / Spain RD 193/2023) The EU Accessibility Act’s B2B exemption and microenterprise exemption both apply to Genetic History’s offering. WCAG 2.1 AA compliance is adopted voluntarily as a trust-signal and as anticipatory preparation for Spain RD 193/2023 phase-in (2029 deadline).
5. DPA template and legal documentation
A pre-drafted, narrowly scoped Data Processing Agreement template (library-distribution scope, not patient-data processing) is available from the LOI stage onward.
To request the DPA template or discuss integration compliance requirements:
Email: urasin@yfull.com Subject line: DPA Request — [Your Organisation Name]
The DPA covers:
- Scaleway EU sub-processor disclosure
- Library-distribution-only scope statement
- Consent-language guidance for extending ancestry features to patient results
6. Data controller
Genetic History, S.L.U. CIF B24962573 Registro Mercantil de Barcelona, Hoja B-646398 Calle Aribau 168, 1-1, 08036 Barcelona, Spain
7. Interim governance posture
Note for DPO and legal reviewers: the regulatory positions in §4 above reflect Genetic History’s current architectural-lever posture combined with established GDPR and sector-law research. Formal legal opinions for the interim-posture items are scheduled with Peer 8 Legal/Compliance Counsel post-MVP-live (~2026-05-15..05-25). Where formal opinions diverge from interim positions, this page will be updated and the DPA template revised accordingly.
If you require formal legal opinions prior to that review — for example, for your procurement gate — contact Genetic History at urasin@yfull.com to arrange direct dialogue with the founder.
Appendix A: sub-processor registry (v0.1)
| Sub-processor | Service | Region | Data processed |
|---|---|---|---|
| Scaleway | Library hosting + sync endpoints | EU (Spain) | Library-distribution asset (non-PII) only |
No patient data reaches any Genetic History sub-processor.