Security & Trust
Your patients trust you with their health—Nemedic protects their data with the
same care. Our cloud‑native platform is built for privacy, resilience, and regulatory
compliance.
Contact our security team
Infrastructure security
| Control | Details |
|---|
| Hosting |
U.S.–based, ISO 27001–certified cloud platform with multiple data centers |
| Network isolation |
Private sub‑networks, restricted ingress/egress, and jump‑host‑mediated admin access |
| Compute layer |
Horizontally scalable application tier distributed across several fault‑isolated zones and protected by a web load balancer |
| Database |
Fully managed, auto‑scaling relational database with built‑in encryption and continuous patching |
| Transport security |
TLS 1.3 required for all client and service traffic; HSTS enforced |
| Secrets management |
Hardware‑backed key management; credentials stored only in encrypted secret stores |
Data protection
| Aspect | How we protect your data |
|---|
| Encryption in transit |
All traffic secured with modern TLS ciphers; legacy versions disabled |
| Encryption at rest |
Server‑side AES‑256 encryption using managed hardware security modules |
| Backups |
Automated snapshots retained for 30 days and stored in separate fault domains |
| Access controls |
Role‑based permissions; no production data on developer devices or portable media |
Business continuity & disaster recovery
| Goal | Commitment |
|---|
| RPO | ≤ 1 hour |
| RTO | ≤ 4 hours |
| High availability | Workloads distributed across multiple physically isolated zones |
| Snapshot redundancy | Copies stored in independent failure domains; cross‑region replication on roadmap |
Compliance & privacy
| Framework / law | Our posture |
|---|
| HIPAA |
Signed Business Associate Agreements with all covered entities, infrastructure, and AI providers |
| AI usage |
Zero‑retention endpoints; neither prompts nor completions are persisted by the provider |
| SOC 2 / ISO 27001 |
External attestation program scheduled to begin in 2026 |
Application security
| Layer | Safeguards |
|---|
| Authentication |
Email + password with strong policy |
| Authorization |
Fine‑grained role‑based access control throughout the platform |
| Secure development |
Pull‑request reviews, CI gates, and automated dependency scanning (roadmap) |
| Pen‑testing |
Independent testing planned for 2026 |
| Responsible disclosure |
Security researchers can email security@nemedic.com |
Monitoring & incident response
| Topic | Practice |
|---|
| Observability | Centralized log and metric aggregation with real‑time alerting |
| On‑call | 24 × 7 engineering rotation |
| Incident communications | Affected customers notified directly via email |
| Post‑mortems | Root‑cause analysis shared with impacted customers within 5 business days |
Organizational security
| Area | Measure |
|---|
| Background checks | All employees screened prior to hire |
| Least privilege | Just‑in‑time access with quarterly reviews |
| Security awareness | Training at onboarding and annually thereafter |
