Privacy and Security

The security of medical information, medical records, and the results of healthcare organizations and patients is a top priority at Medical entries contain information that only particular patients and authorized medical professionals, and specific healthcare organizations need to see, and we intend to keep it that way. Every day we ensure that our security is parallel with industry standards and compliance.

GDPR compliance recognizes that protecting the privacy of EU citizens requires a holistic security program. We’ve applied all GDPR requirements and rules on our platform.

HIPAA compliance recognizes that protecting privacy requires a holistic security program. We’ve applied all HIPAA requirements and rules in our platform and in our work with our partners who provide infrastructure services to us.

UK Data Protection Act recognizes that protecting privacy for the population in the UK requires a holistic security program. We’ve completed extensive research and applied all the UK DPA requirements so is compliant with the UK DPA local requirements.

Physical security data centers (handled by Amazon AWS) are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure.

Software security

Servers and networking

All servers that run software in production are recent, continuously patched Linux systems. Additional hosted services that we utilize, such as Amazon RDS, S3 and others, are comprehensively hardened AWS infrastructure-as-a-service (IaaS) platforms.

Storage stores document data such as metadata, activity, original files, and customer’s data in different locations while also compiling and generating documents when requested. All data in each location is encrypted at rest with AES-128 and sophisticated encryption keys management.

Coding and testing practices leverages industry standard programming techniques such as having a documented development and quality assurance processes, and also following guidelines such as the OWASP report, to ensure that the applications meet security standards.

Employee access

We follow the principle of least privilege in how we write software, as well as the level of access employees, are instructed to use in diagnosing and resolving problems in our software and responding to customer support requests.

Isolated environments

The production network segments are logically isolated from other Corporate, QA, and Development segments.

Customer payment information uses external secure payment processing (Level 1 PCI) and does not store any credit card information.

System monitoring and alerting

At, the production application and underlying infrastructure components are monitored 24/7/365 days a year, by dedicated monitoring systems. Critical alerts generated by these systems are sent to 24/7/365 on-call DevOps team members and escalated appropriately to operations management.

Service levels and backups infrastructure utilizes many layered techniques for increasingly reliable uptime, including the use of auto-scaling, load balancing, task queues, and rolling deployments. We do full daily automated backups of our databases. All backups are encrypted.

Vulnerability testing

Web application security is evaluated by the development team in sync with the application release cycle. This vulnerability testing includes the use of commonly known web application security toolkits and scanners to identify application vulnerabilities before they are released into production.

Application architecture

The web application is multi-tiered into logical segments (front-end, mid-tier, and database), each independently separated from each other in a DMZ configuration. This guarantees maximum protection and independence between layers.