This page is provided for transparency and procurement review. It is not a standalone contract and does not replace our Terms of Service, Privacy Policy, Data Processing Addendum, Business Associate Agreement, Order Form, Security Addendum, or other signed agreement. If there is a conflict, the signed agreement controls.
What MARCUS Does
MARCUS retrieves institution-approved source material, identifies relevant passages, and generates a cited draft response. The response is only as reliable as the source material, retrieval quality, and user review.
| Use case | Status |
|---|---|
| Searching residency or program documents | Supported |
| Finding institutional policies and protocols | Supported |
| Summarizing cited institutional source passages | Supported |
| Comparing institution-approved documents | Supported |
| Producing draft internal guidance from approved sources | Supported |
| Diagnosing a patient | Not supported |
| Replacing clinician judgment | Not supported |
| Emergency or time-critical medical decision-making | Not supported |
| Patient-facing autonomous medical advice | Not supported |
MARCUS should be treated as an institutional-document retrieval layer, not as an autonomous medical decision-maker.
PHI Is Off By Default
MARCUS does not need PHI for ordinary institutional-document retrieval. Users can usually ask about program documents, institutional policies, rotation guidance, and approved protocols without entering patient identifiers or patient-specific facts.
| Usually appropriate in a default workspace | Not appropriate unless PHI-enabled under BAA |
|---|---|
| Residency handbooks | Patient names |
| Rotation schedules | Medical record numbers |
| Institutional protocols | Dates of birth |
| Department policies | Case-specific patient facts |
| Call rules | Operative notes |
| Public or institution-approved guidelines | Patient images, notes, documents, labs, or identifiers |
When PHI-enabled use is approved, the customer and its authorized users remain responsible for submitting only the minimum necessary information for the approved purpose.
HIPAA Posture
MARCUS is not automatically HIPAA-compliant merely because it uses encryption, access controls, or healthcare terminology. HIPAA-supported use requires the correct contractual, technical, administrative, and operational setup.
| Requirement | Status |
|---|---|
| Signed BAA between the customer and surgicAI | Required before PHI use |
| Approved PHI-capable deployment configuration | Required before PHI use |
| Approved PHI-capable vendor/subprocessor chain | Required before PHI use |
| Customer onboarding rules for PHI handling | Required |
| Role-based access controls | Required |
| Audit logging | Required |
| Retention and deletion terms | Required |
| Security incident reporting process | Required |
| Customer-side workforce policies and training | Customer responsibility |
MARCUS supports HIPAA-aligned deployments when configured under an appropriate customer agreement, BAA, approved subprocessors, and customer administrative controls. MARCUS is not approved for PHI in public demos, trial workspaces, or uncontracted environments.
Data We Process
| Data category | Examples | Purpose | Default retention posture |
|---|---|---|---|
| Account and organization data | Name, email, role, organization, authentication metadata | Login, access control, administration, support | Retained while the account or customer relationship is active, plus any legally required period |
| Institutional content | Policies, protocols, schedules, handbooks, guidelines, uploaded or connected documents | Indexing and retrieval | Retained according to customer configuration and agreement |
| Index artifacts | Segmented source text, source references, document metadata, citation metadata, search-index records | Source matching, citation display, answer support | Retained while the document remains active in the workspace unless otherwise agreed |
| Session data | User questions, cited passages, generated answers, feedback | Generate and improve the user's answer session | Configurable by contract; PHI-enabled deployments require approved retention settings |
| Audit and security logs | User ID, timestamps, workspace ID, document IDs, access events, IP or device metadata where needed | Security, abuse prevention, access review, incident investigation, compliance support | Retained according to customer agreement, legal requirements, and security needs |
| Billing data | Subscription, invoice, payment metadata | Billing and account administration | Processed through payment providers; no PHI should be submitted for billing |
Controls and Contract-Dependent Options
| Control | Description |
|---|---|
| Encryption in transit | Data is transmitted over encrypted channels such as TLS |
| Encryption at rest | Stored application data and index artifacts are encrypted at rest where supported by the infrastructure layer |
| Organization-scoped tenancy | Workspaces, documents, indexes, conversations, and access rules are scoped by organization |
| Role-based access control | Access is governed by assigned user roles and permissions |
| Cited-source answer support | Responses are generated from matched source passages and should include citations |
| Audit logging | Security-relevant and access-relevant events are logged for review |
| Secure session handling | Authentication uses secure, HttpOnly session cookies where supported by the app stack; access tokens should not be stored in browser localStorage |
| No sale of data | Customer data is not sold |
| No model training by default | Customer data is not used to train models unless separately agreed |
| Control | Availability |
|---|---|
| Business Associate Agreement | Available only for approved contracted deployments |
| Data Processing Addendum | Available for customers requiring data-processing terms |
| Enterprise SSO | Available only when enabled for the workspace and supported by the customer agreement |
| Private deployment, VPC, or customer-managed storage | Available by enterprise arrangement if technically supported |
| Custom retention | Available by contract where technically supported |
| SIEM or audit-log export | Available by enterprise arrangement where technically supported |
| PHI-enabled model routing | Requires approved BAA-covered provider path and deployment configuration |
SOC 2, formal penetration-test reports, and formal HIPAA risk-analysis materials should not be represented as complete or certified unless those materials have been completed and made available under the applicable agreement.
Retention and Deletion
Retention depends on workspace type, customer agreement, and deployment configuration. We do not publish fixed deletion windows unless engineering, infrastructure, and the applicable agreement can support them.
| Data | Default policy language |
|---|---|
| Original uploaded files | Retained according to workspace configuration and customer agreement; where configured for file-processing-only workflows, original files may be deleted after indexing |
| Index artifacts | Retained while the source document remains active in the workspace unless otherwise agreed |
| Conversation/session history | Retained according to workspace settings and customer agreement |
| Audit logs | Retained for security, compliance, legal, and contractual purposes |
| Deleted content | Removed from active systems where technically supported; backup copies expire according to backup cycles unless retention is required for security, legal, billing, dispute, or compliance purposes |
| Support requests | Retained as needed to provide support, maintain records, and comply with legal obligations |
Clinical Safety
MARCUS provides retrieval and synthesis assistance. It does not independently verify that source documents are current, complete, clinically appropriate, or applicable to a specific patient.
- Review cited sources before relying on an answer.
- Confirm that the source document is current and institution-approved.
- Use independent clinical judgment.
- Escalate unclear, conflicting, or high-risk answers.
- Avoid entering PHI unless the workspace is PHI-enabled under BAA.
- Never use MARCUS as the sole basis for emergency, diagnostic, or treatment decisions.
Security Reports
Security reports may be sent to security@surgic.ai. Please include a description, affected URL or endpoint, steps to reproduce, and sensitive data removed from screenshots or logs.
Do not include PHI, credentials, secrets, or sensitive customer data in security reports. For confirmed incidents involving customer data, surgicAI will notify affected customers according to the applicable agreement, BAA, and law.