Trust & Governance

Responsible AI at Ulalo.

AI in healthcare must be safe, fair, transparent, and accountable. These are the principles and safeguards we build to — by design, not as an afterthought.

Last updated · 31 May 2026 Version 1.0
Ulalo's AI is designed to support clinicians and research teams — not to replace clinical judgment. Every recommendation surfaces to a qualified human who decides whether to act on it.

1. Our principles

Five principles guide how we design, build, deploy, and operate AI:

  • Human-centered. AI assists qualified humans; it does not replace them.
  • Transparent. Recommendations come with the reasoning behind them.
  • Fair. We actively design against bias that could harm patients or distort research.
  • Private and secure. Patient data is protected by data minimization, encryption, and access control.
  • Accountable. Every model in production has a named owner and a documented lifecycle.

2. Human oversight

Ulalo's matching infrastructure is designed for human-in-the-loop operation. Clinicians and research coordinators review AI recommendations before any patient outreach. The system never makes a final decision about a patient's care, eligibility, or contact without a qualified human in the loop.

Operators can override, correct, or reject any recommendation. Overrides are logged and feed back into model improvement.

3. Transparency & explainability

Every recommendation surfaced by Ulalo is accompanied by the clinical reasoning behind it — the criteria matched, the evidence relied on, and the confidence assigned. We design our systems so that:

  • operators can see why a patient was surfaced before acting;
  • audit logs preserve the inputs, model version, and outputs of each decision;
  • customers receive documentation describing intended use, performance, and known limitations of each model.

4. Fairness & bias

Clinical research has historically underrepresented many communities. Building AI on that history without care can entrench the gap. We address this through:

  • diverse and representative training and evaluation data wherever feasible;
  • subgroup performance testing across demographic and clinical strata;
  • bias-impact assessments before deployment of any new model or major change;
  • continuous monitoring of fairness metrics in production, with thresholds for review and remediation.

5. Privacy & data minimization

We process the minimum data necessary to perform a task, and we protect it with:

  • encryption in transit and at rest;
  • role-based access control and least privilege;
  • de-identification or pseudonymization where the use case allows;
  • contractual safeguards (DPAs, SCCs) for any cross-border processing;
  • strict prohibition on using customer or patient data to train models for other customers without explicit permission.

See our Privacy Policy for details on personal data handling on this website.

6. Safety & validation

Before a model is deployed it goes through:

  • defined intended-use and out-of-scope statements;
  • performance evaluation against representative test sets;
  • red-team and adversarial testing on safety-critical paths;
  • review by clinical and regulatory subject-matter experts;
  • documented sign-off before promotion to production.

7. Governance & accountability

Responsible AI is governed by Ulalo's leadership with input from clinical, regulatory, and security advisors. Every model in production has:

  • a named owner accountable for its performance and safe operation;
  • a model card describing intended use, training data characteristics, evaluation results, and known limitations;
  • a defined lifecycle covering review cadence, retraining triggers, and retirement.

Ulalo's AI governance and HIPAA posture have been independently assessed by Konfer, an external AI risk and compliance specialist. We retain Konfer for periodic re-assessment as our systems evolve.

Konfer Assessment — HIPAA Business Associate compliance, 2026. Read the assessment →

8. Monitoring & incident response

We monitor models in production for drift, performance degradation, and emerging fairness issues. When something goes wrong:

  • incidents are triaged on defined severity criteria;
  • affected customers are notified consistent with contractual and regulatory obligations;
  • root-cause analysis is documented and corrective actions tracked to closure.

9. Contestability

People affected by Ulalo's systems — operators, patients reached through partner workflows, and our customers — should be able to question and challenge outcomes. We support this through clear audit trails, override mechanisms for operators, and channels for customers and stakeholders to raise concerns directly with us.

10. Regulatory alignment

Ulalo operates in a heavily regulated environment and designs for alignment with applicable frameworks, including:

  • the EU AI Act obligations relevant to AI systems used in healthcare contexts;
  • the GDPR and equivalent national data-protection laws;
  • HIPAA (Health Insurance Portability and Accountability Act), with Ulalo Inc. operating as a HIPAA-compliant Business Associate under signed BAAs with US covered entities, independently assessed by Konfer;
  • healthcare regulatory expectations, including good clinical practice (GCP), where applicable to our partners;
  • international standards such as ISO/IEC 42001 (AI management systems), ISO/IEC 27001 (information security), and SOC 2 as part of our maturity roadmap.

11. What Ulalo's AI does not do

  • It does not diagnose patients.
  • It does not prescribe or recommend treatment.
  • It does not make autonomous decisions about a patient's care, eligibility, or contact.
  • It does not replace the judgment of clinicians or research staff.

12. Contact

Questions, concerns, or vulnerability reports related to Ulalo's AI systems can be sent to legal@ulalo.io.