The GDPR-proof way to send a medical form.

ProxForm is GDPR-proof by architecture: no server-side storage of patient data, no third-party processors, no PHI at rest. The clinician remains the data controller for any local copies they choose to save — but ProxForm itself eliminates the data-at-rest, processor-relationship, and transit-encryption risk surfaces that drive most GDPR exposure.

No. ProxForm never receives or processes patient data — answers travel directly browser-to-browser over an end-to-end encrypted WebRTC channel. There's no processor relationship to formalize because there is no processor.

Nowhere by default. Answers exist only in the two open browser tabs during the session. The clinician can choose to save a local copy (JSON or printed PDF) on their own device — that copy is then their responsibility under their own legal basis.

PBKDF2 (100,000 iterations, SHA-256) derives a key from the shared passphrase, which encrypts the WebRTC handshake metadata with AES-256-GCM. The data channel itself runs over DTLS 1.3. A short verification code (SAS) lets both sides confirm there's no person-in-the-middle.

Under HIPAA's conduit exception, Artivicolab is not a Business Associate — patient data never touches our infrastructure, so we have no persistent access to PHI. The clinic remains the covered entity for the data it collects through ProxForm. We don't market ProxForm as "HIPAA-compliant SaaS" because that label assumes a relationship that doesn't exist here. Full HIPAA position, including a Security Rule technical-safeguards mapping →

ProxForm runs entirely in your browser with no accounts and no analytics. Pricing for clinical use will be announced — early users can contact Artivicolab for access.

Yes. The Portal supports parallel sessions — fire as many invites as you need, each lands as its own card in a first-come queue with a DMV-style ticket label (1A, 2A, …). Replies trickle back independently. Live previews stream into their own cards as patients type.

Active invites are remembered as dormant cards in the next session. The previous WebRTC connection is dead (no JS can survive a reload), but clicking Reopen mints a fresh link + passphrase under the same session ID. If the patient was mid-fill, their draft auto-restores when they open the new link.

Two automatic layers: (1) every patient name on the Portal blurs to *** by default — hover to peek or click Show to unlock for a few minutes; (2) inside a submission, every answer auto-masks with *** after 30 s – 5 min of inactivity (configurable, never off). It's the "data at rest, on your own screen" defense — designed for shared clinic devices.

One button on the Portal: End shift — wipe patient data. Confirms with an explicit warning, then deletes every submission, every dormant invite, every patient draft. Your form templates and your shield/theme preferences stay. Next person at the device starts at ticket 1A on a clean inbox.

Only this landing page, and only if you say yes. It offers Google Analytics purely to count visits — and it does not load until you click Accept on the consent banner. Decline and nothing loads, ever. The ProxForm app and the patient form page run zero analytics and zero cookies no matter what you pick here — patient data never touches Google or any third party. Full detail on the GDPR page →

Received submissions are stored in your browser's local IndexedDB on this device only. There is no server copy and no cloud backup — that's the whole point. Consequence: if you clear your browser data, use a different browser or device, or your device is wiped, those submissions are gone. Before clearing browser data, export anything you need to keep — every submission has an Export JSON button, and the detail view has Print / PDF. Treat ProxForm submissions like a paper inbox: move the ones you need into your records system, shred the rest with End Shift.