The context
The organisation processes biomedical documentary files whose content qualifies as health data under GDPR. The scientific teams spent a significant share of their time on a first-level read of files, a majority of which were subsequently set aside. Any tool considered had to satisfy three frameworks simultaneously: GDPR for personal data, HDS for health hosting, and AI Act for the AI system itself.
The need
An agent able to read incoming files, identify missing parts, flag obvious scientific inconsistencies, and produce a summary sheet for the human evaluator. The final decision remains with the human. The agent had to operate without any patient data leaving the HDS zone, and without any dependency on a non-EU model provider, a condition set by the scientific leadership and by the CISO.
What we delivered
An agent orchestrated via MCP, where each documentary reading and verification capability is isolated in a dedicated MCP server, which makes the pipeline auditable step by step. Mistral model hosted on Outscale, a SecNumCloud qualified provider, within an HDS certified hosting zone. Application state and audit logs in PostgreSQL, within the same perimeter. FastAPI API exposed only on the client's internal network. The architecture file documents data residency, the absence of Cloud Act exposure, and the mapping to GDPR, HDS and AI Act obligations, including the system's risk classification and the human oversight measures in place.