AI Vendor Due Diligence for a Private Counselling Clinic
Three vendors passed the clinic's first review. Due diligence on recorded counselling sessions showed why the cheapest would have been the most dangerous choice.
A private counselling clinic in the UAE was choosing between three vendors for an AI voice-to-text system. The tool would transcribe sessions, generate structured notes, and flag themes for follow-up. Counsellors were losing 30 to 40 minutes after every session writing notes by hand, and the clinic wanted that time back.
The sensitivity of the data here is hard to overstate. These are recorded counselling sessions. Patients disclosing trauma, addiction, family abuse. This is the most sensitive category of personal data a small clinic will ever handle.
All three vendors passed the clinic's first review. Good demos, clear pricing. The practice manager was leaning toward the cheapest, which also promised the fastest setup.
What the due diligence found
Vendor A, the cheapest, processed all audio through cloud servers outside the region. When we asked where recordings were stored during and after transcription, the answer was vague. Their privacy policy reserved the right to use "de-identified" session data for model improvement. For therapy recordings, de-identification is close to meaningless. A patient describing their workplace, family, and neighbourhood is identifiable regardless of whether their name is stripped. Their contract said nothing about model training, retention, or the clinic's rights over recorded audio.
Vendor B offered regional hosting and a clear data residency commitment. But their model was trained mostly on English-language medical dictation. Counselling sessions in the UAE move between Arabic and English mid-sentence. We tested the system on sample recordings. Accuracy dropped sharply during code-switching and collapsed on dialect. The transcripts were not clinically reliable, and a counsellor would spend as long fixing the output as writing notes from scratch.
Vendor C was the most expensive, about 40 percent higher per seat. But their model was fine-tuned on Arabic-English bilingual speech, they offered on-premise deployment with no audio leaving the clinic's systems, and their contract stated that no session data would be used for training without separate written consent. Raw audio was purged within 24 hours of transcription, with only the approved note retained. They provided an access audit log, which mattered for UAE data protection law and the clinic's own duty of care.
Our recommendation
We recommended Vendor C. Vendor A would have sent recorded therapy sessions to offshore servers with ambiguous data rights, one breach away from a catastrophe for a small clinic that runs on trust. Vendor B would have produced transcripts too unreliable to use.
The 40 percent premium bought data sovereignty, clinical accuracy, and the ability to tell a patient that their most private disclosures are not sitting on a server training someone else's model. For a small clinic, due diligence on a five-figure software decision is not bureaucracy. It is the difference between a tool that helps and one that quietly creates the worst kind of risk.
If your situation is similar, our team is happy to start with a conversation about scope and approach.