Security & Compliance

Last Updated: January 7, 2026

Medroid AI, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713, USA

Security and compliance are at the core of everything we build. This page outlines our comprehensive approach to protecting your data and maintaining regulatory compliance.

HIPAA Ready SOC 2 Type II (In Progress) AES-256 Encryption ISO 27001 Aligned

1. Data Encryption

Encryption at Rest

AES-256 Encryption: All Protected Health Information (PHI) and sensitive data is encrypted using industry-standard AES-256 encryption
Database Encryption: Full database encryption with encrypted backups
File Storage: All uploaded files, images, and documents are encrypted at rest
Key Management: Secure key management using AWS KMS with automatic key rotation

Encryption in Transit

TLS 1.3: All data transmitted between clients and servers uses TLS 1.3 encryption
HTTPS Only: Strict HTTPS enforcement with HSTS headers
API Security: All API communications are encrypted and authenticated

2. Access Controls

Authentication

Multi-Factor Authentication (MFA): Required for all healthcare providers and administrative users
Strong Password Policy: Minimum 12 characters with complexity requirements
Session Management: Secure session handling with automatic timeout after inactivity
Single Sign-On (SSO): Enterprise SSO support for organizations

Authorization

Role-Based Access Control (RBAC): Granular permissions based on user roles
Principle of Least Privilege: Users only have access to data necessary for their role
Audit Logging: Comprehensive logging of all access to PHI and sensitive data

3. Infrastructure Security

Cloud Infrastructure

AWS Infrastructure: Hosted on HIPAA-eligible AWS services
Geographic Redundancy: Multi-region deployment for high availability
DDoS Protection: AWS Shield and CloudFlare protection against DDoS attacks
Network Isolation: Virtual Private Cloud (VPC) with private subnets

Application Security

Web Application Firewall (WAF): Protection against common web vulnerabilities
Intrusion Detection: 24/7 monitoring for suspicious activities
Vulnerability Scanning: Regular automated and manual security scans
Penetration Testing: Annual third-party penetration testing

4. Data Backup & Recovery

Automated Backups: Daily encrypted backups with 30-day retention
Point-in-Time Recovery: Ability to restore data to any point within retention period
Geographic Redundancy: Backups stored in multiple geographic locations
Disaster Recovery Plan: Comprehensive business continuity and disaster recovery procedures
Recovery Time Objective (RTO): Target RTO of 4 hours
Recovery Point Objective (RPO): Target RPO of 1 hour

5. Compliance & Certifications

Standard/Regulation	Status	Description
HIPAA	✓ Compliant	HIPAA-ready architecture with Business Associate Agreements available
SOC 2 Type II	In Progress	Undergoing SOC 2 Type II audit for security, availability, and confidentiality
GDPR	✓ Compliant	Full compliance with EU General Data Protection Regulation
ISO 27001	Aligned	Security practices aligned with ISO 27001 standards
NIST CSF	✓ Implemented	Following NIST Cybersecurity Framework guidelines

6. Security Monitoring

24/7 Monitoring: Continuous security monitoring and alerting
SIEM Integration: Security Information and Event Management system
Anomaly Detection: AI-powered detection of unusual access patterns
Incident Response: Dedicated security incident response team
Audit Logs: Comprehensive audit trails for all system activities

7. Employee Security

Background Checks: All employees undergo background verification
Security Training: Mandatory HIPAA and security awareness training
Confidentiality Agreements: All employees sign NDAs and confidentiality agreements
Access Reviews: Quarterly reviews of employee access privileges
Offboarding Process: Immediate revocation of access upon employee departure

8. Vulnerability Management

Patch Management: Regular security updates and patches
Dependency Scanning: Automated scanning of third-party dependencies
Code Reviews: Security-focused code reviews for all changes
Bug Bounty Program: Responsible disclosure program for security researchers

Security Incident Reporting: If you discover a security vulnerability or have security concerns, please report them immediately to [email protected]. We take all security reports seriously and will respond within 24 hours.

9. Third-Party Security

We carefully vet all third-party service providers and ensure they meet our security standards:

All vendors handling PHI must sign Business Associate Agreements
Regular security assessments of third-party providers
Minimum necessary access principle for all integrations
Continuous monitoring of third-party security posture

10. Data Retention & Deletion

Retention Policies: Data retained according to legal and regulatory requirements
Secure Deletion: Cryptographic erasure of deleted data
Right to Deletion: Users can request deletion of their data
Backup Purging: Automated purging of old backups per retention policy

Security Contact Information

Security Team: [email protected]
Privacy Officer: [email protected]
Compliance Team: [email protected]

For urgent security incidents: Please email [email protected] with "URGENT" in the subject line.