ElderberryAI
Safety & trust
An AI engine inside healthcare earns trust by what it refuses to do as much as by what it does. Powerful where it should be — constrained where it must be.

Here is exactly where Elderberry AI's line sits, and how we enforce it.

See the architecture → Privacy

We facilitate. We do not diagnose. The engine surfaces evidence, structures information, and drafts coordination. It does not diagnose, does not give medical advice, and does not act on a patient without a human approving first.

The line, in action

When a request crosses the line, the engine declines — and routes to a person.

The constraint isn't a disclaimer; it's enforced in the system. Ask the engine to diagnose and it won't. Instead it surfaces the relevant evidence and hands the decision to a clinician.

Facilitation, not diagnosis

Hard system constraints keep the engine on the facilitation side of the legal and clinical line. It prepares; a clinician decides.

Human in the loop

Clinical output, escalations, and safety-critical paths get human review before they go anywhere — the engine never auto-sends clinical communication, and anything uncertain is escalated to a person. Strong human oversight where it matters.

No PHI to advertisers

We do not sell protected health information. There are no third-party ad or tracking pixels on our products, and none on this site.

HIPAA business-associate posture

Where we handle protected health information on behalf of a covered entity, we operate under a Business Associate Agreement with appropriate safeguards.

End-to-end audit trail

Every retrieval, draft, and approval is logged. Any output can be traced back to its sources and to the person who approved it.

Encryption & separation

Data is encrypted at rest and in transit. Public medical evidence and protected patient data are kept in separate stores with role-based access.

How the line is enforced

Guardrails in the system, not just the prompt

A policy is only as strong as its enforcement. Ours is built into the engine's path.

Scope limit

The reasoning layer is constrained to facilitation tasks — surfacing, structuring, drafting.

Grounding required

Outputs must be traceable to a source; ungrounded claims are blocked.

Human gate

No clinical output proceeds without explicit human approval.

Logged & reviewable

Every step is recorded for audit and oversight.

Questions about our safety posture?

We're glad to walk compliance and clinical leaders through exactly how the engine is constrained.

Talk to us →