AI principles

Cogent Clinic is a practice environment for clinicians who want to use AI in their day-to-day work in a way that is efficient, ethical, and secure, and what follows is the set of principles Cogent holds itself to when building the product. If any future product decision would break these, it is not made without saying so publicly and giving you the chance to decide whether to stay.

Cogent Clinic is a Class I medical device under UK MDR 2002 (registered with the MHRA), and these principles are the customer-facing expression of the architectural commitment that supports the Class I classification: the device contributes no clinical reasoning of its own.

1. The clinician is the author of record

Every piece of text the AI produces inside Cogent Clinic is a draft. You review it, edit it, and accept it before it becomes part of your clinical record, your supervision notes, your letter, or your report. Nothing leaves the product as a finalised document unless you have explicitly accepted it.

The product's interface makes this explicit at every step. The draft panel is amber until you accept. The "author of record" reminder sits with the draft until you put your name on it. The model is instructed to structure the content you have given it, not to produce content of its own.

You can always reject, regenerate, or write over the output. The AI never makes a clinical claim on your behalf.

2. The AI does not do clinical reasoning for you

Cogent Clinic helps with drafting, structuring, and reflective work. It is not a clinical decision-support system. The system is scoped so the AI will not:

• diagnose a client, even speculatively
• recommend a treatment, medication, or intervention
• predict outcomes or infer risk beyond what you have documented
• interpret test scores against published cut-offs on its own initiative
• introduce numeric claims, symptoms, or observations that are not in your inputs
• propose a differential diagnosis or downgrade yours
• act on behalf of the client, the referrer, or anyone else in the clinical relationship

The prompt content governing the model is tuned to enforce these limits. The architectural test that supports the Class I classification of the device is that the AI reproduces, reformats, and organises content the clinician has authored or supplied, and contributes no clinical reasoning of its own.

If a clinician asks the AI to do something outside this scope, it declines and offers to help with the documentation task instead.

Neurodevelopmental assessment reports (ADHD, autism, combined) and expert witness reports sit outside the registered Class I device. Where these features are available, they operate under separate arrangements and are subject to their own clinical-safety considerations.

3. Your content is not used to train any model

Cogent's AI inference runs on models provided by a leading AI vendor, accessed through a UK-regional cloud inference service, and by the contractual terms of that access the model provider does not use your content to train or fine-tune their models, while the inference service does not retain your inputs or outputs once a response has been returned.

Cogent does not train or fine-tune any model of its own on your content, your clients' content, or any identifier you have entered into the product, and your content is never sold, shared, or licensed to any third party for any purpose.

4. Identifying content stays on your device

Every name, NHS number, phone number, email address, postcode, date, and comparable identifier is detected inside your browser and replaced with a neutral placeholder before any content leaves the device, with the reverse mapping (the piece of information that would let a reader turn [PERSON_1] back into a real name) stored on your device, encrypted under a key derived from your account password, and never held on Cogent's infrastructure.

What reaches Cogent's servers, and what reaches the AI, is already de-identified, so if the database were ever compromised the patient identities that the content refers to would not be in it.

Cogent uses the word "de-identification" in the product because it reads more clearly to a clinician, with the formally correct regulatory term under UK GDPR being "pseudonymisation" (the swap is reversible, but only by you).

You review every identifier the detector finds before generation runs, because silent acceptance of machine-caught identifiers is the biggest failure mode for this kind of system, and the product forces the human in the loop by design.

5. Transcripts are yours, encrypted on your terms

When you transcribe a session live, the audio streams from your browser directly to a speech-to-text service hosted inside the European Union, never passing through Cogent's servers, and Cogent has opted out contractually of the service using customer audio or transcripts to train, benchmark, or develop any model. The returned transcript is held in your browser for a short window and, if you choose, saved under the relevant client folder in encrypted form, with everything Cogent stores about the session held inside the UK.

The encryption key is the one derived from your account password, the same key that protects your placeholder map, which means Cogent cannot read your transcripts and could not produce them on subpoena in a form anyone else could read. If you lose your device and forget your password, your transcripts become unrecoverable, to you and to Cogent.

Deletion is explicit, transcripts do not auto-expire from the server store, and when you delete one it is hard-deleted.

6. Your clinical work is longitudinal, and so is the AI's understanding of it, but only within your controlled scope

The product remembers the work on a client across sessions, so when you draft a new session note the client's living formulation and the last couple of session notes go into the prompt as context, when you generate a supervision brief the plan and the recent sessions assemble it automatically, and when you use the clinical thinking chat for a client the chat has the folder's context for that client and only that client.

That longitudinal memory never crosses client boundaries. The AI does not, and cannot, see your work on client A while you are working on client B, it does not build a profile of your practice, and it does not surface behavioural analytics on your clients. Each client folder is an isolated scope.

You can delete anything you like, at any time, and deletion cascades, so when you remove a client folder the drafts, transcripts, formulation, conversations, and associated records go with it.

7. What the AI is not certain about is flagged for you

Generated drafts pass a round-trip check for identifier leakage before they reach you, and if the AI has emitted a placeholder the system does not recognise, or has introduced what looks like a real identifier into the output, you see a clear flag that some details in the draft need checking.

For long-form assessment reports, the product additionally checks whether every numeric claim in the output (a test score, a percentile, a cut-off value) traces back to something you provided in structured fields, narrative, or reference documents, with any numeric claim that does not match your inputs flagged for you to double-check.

You can also run a documentation-completeness check against a per-document-type structural checklist, which tells you whether a draft has covered the elements a well-written document of that type is expected to address. It is a structural check rather than a clinical-quality rating, and the product does not grade your clinical work.

8. No hidden analytics on your clinical content

Cogent does not run behavioural analytics on what you write, what your clients disclose, or how you practise, and the analytics that do run (for billing, usage, and error tracking) are metadata-only and named on the sub-processors page. No draft body, no chat message, no transcript, and no identifiable client content is sent to any analytics service.

9. Transparency about the system

Cogent publishes detailed documentation of how data is handled, what the product does and does not do, and what the third-party processors are, while being deliberate about what is published openly and what is kept private, because technical architecture that would let a third party replicate the product is not published while security-relevant detail that you need to evaluate the product for your practice is.

If you are doing a procurement or data-protection review and need deeper detail than what is on the Trust Centre, Cogent will share the full architecture summary, hazard register, and security control mapping under NDA.

10. If the principles change, you will hear about it

If any of these principles changes, a dated update is published on this page and current customers are notified by email, with no quiet changes.

---

These principles are why the product exists in the shape it does. A generic AI chat tool would be faster to build, and a clinical scribe that transcribed sessions straight to plaintext on the server would be cheaper to run, but neither of those would give you something you could comfortably point your supervisor, your DPO, or your insurer at. Cogent Clinic is built to be that tool.