Disciplined about what we claim. Serious about your data.
HIPAA-ready with a BAA available, SOC 2 Type I audited, GDPR and UK GDPR, encrypted in transit and at rest, with region-specific data residency. We state only what we can stand behind — and your data isn't used to train models.
Adopting clinical AI shouldn't mean trusting a black box.
Clinicians and their compliance teams need to know exactly what happens to data, where it lives, who can see it, and whether it trains someone's model. This page answers those questions plainly — in terms your security team can verify.
Will our data be used for training?
No.
Where is our data stored?
In region-specific databases — your data stays in your region.
Can we get a signed BAA?
Yes — we act as your Business Associate.
Where Medroid stands, stated plainly
Compliance you can hand to your security team. These are our own statements of how Medroid operates, not seals issued by any government body — except SOC 2, which is an independent third-party attestation.
HIPAA — BAA available
We act as your Business Associate and will execute a Business Associate Agreement (BAA) with covered entities. We apply HIPAA-aligned safeguards — access controls, audit logging, and encryption.
SOC 2 Type I audited
Independently SOC 2 Type I audited. The report is available under NDA. SOC 2 is a third-party attestation of our controls — never a government certification.
GDPR / UK GDPR
Built to support GDPR and UK GDPR obligations, including data subject rights, and we act under a Data Processing Agreement (DPA) where applicable.
Encrypted in transit & at rest
Data is encrypted in transit with TLS and at rest with AES-256, across every product and surface.
Region-specific data residency
User data is stored in region-specific databases, so your data stays in your region.
Your data isn't used to train models
Your data is never used to train our models. Full stop. We cite and link the evidence — we do not absorb your records into a training set.
SOC 2 is an independent attestation of our controls, not a government certification, and it does not assess clinical accuracy. HIPAA has no government certification; we apply HIPAA-aligned safeguards and sign a BAA. Legal: Privacy Policy · DPA · Sub-processors · Terms.
One security posture across every surface
AskMedroid, Copilot, Scribe, and the EHR share the same security model. Because Medroid runs as a Chrome extension and desktop app on top of your existing systems, we add a controlled layer over your workflow rather than becoming a new system of record you have to re-certify.
Chrome Extension
Same encryption, same access model — running as a secure overlay on web-based EHRs.
Desktop App
Available now for Mac and Windows, with the same controls on your workstation.
EHR & Platform
The full Medroid EHR shares one access model, audit trail, and residency policy.
How we handle your data, step by step
No legalese. Here's the lifecycle of your data inside Medroid, in terms your compliance team can review.
Captured & encrypted
Data is encrypted the moment it is created — in transit with TLS and at rest with AES-256.
Processed in your region
It is handled in region-specific databases for your region, and it is not used to train models.
Access-controlled
Only authorized roles can access it, and every access is captured in a reviewable audit trail.
Retained on your terms
Retention and deletion are governed by your DPA and BAA — you set the terms, we follow them.
Medroid is a clinical-information and workflow tool intended to support — not replace — the independent professional judgment of a licensed clinician. It is not a substitute for clinical judgment and does not provide medical advice or a diagnosis.
Cited, not black-box — by design
Trust isn't only a compliance checkbox. AskMedroid grounds every answer in evidence — peer-reviewed literature via PubMed, clinical guidelines relevant to your region, and other trusted medical-evidence sources — and links out to the original source so you can review the basis yourself.
We respect copyright: we cite and link, we do not reproduce paywalled or full-text articles, and we never reproduce NEJM or JAMA content. The clinician reviews the evidence and makes the call.
First-line management for this presentation is supported by current guideline evidence, with the relevant trial data summarized below for your review.
Clinical practice guideline
Linked to source · region-relevant
Peer-reviewed literature (PubMed)
Citation + outbound link
Systematic review
Citation + outbound link
Illustrative example. Medroid cites and links to sources; it does not reproduce paywalled or full-text articles.
Trusted by clinical teams
Clinical teams that rely on Medroid for secure, evidence-led AI.
Send our security pack to your compliance team
Request our BAA, or ask for our security documentation — SOC 2 report and supporting materials available under NDA. We're happy to complete your security questionnaire and talk through enterprise deployment, SSO, and data residency.
Security questions clinicians and compliance teams ask
Medroid applies HIPAA-aligned safeguards and will sign a Business Associate Agreement (BAA) with covered entities. There is no government HIPAA certification; we describe our safeguards plainly and let our SOC 2 audit carry independent assurance.
Yes. We act as your Business Associate and will execute a BAA with covered entities. You can request our BAA and security documentation directly from the Trust Center.
Yes. Medroid is SOC 2 Type I audited, and the report is available under NDA. SOC 2 is an independent attestation of our controls; it is not a certification, and it does not assess clinical accuracy.
Data is encrypted in transit with TLS and at rest with AES-256, with access controls and audit logging. User data is stored in region-specific databases so it stays in your region.
Yes. Medroid is built for GDPR and UK GDPR, supports data subject rights, and acts under a Data Processing Agreement (DPA) where applicable.
No. Your data is not used to train models. We handle protected health information under a BAA with strict data-handling safeguards, and our security documentation explains what is stored, where, and who can access it.
We act under a Data Processing Agreement (DPA) where applicable and maintain a list of sub-processors. Your compliance team can request our DPA and sub-processor list along with our security documentation.
Built for clinical data, stated plainly.
Request our BAA and security documentation, or talk to us about enterprise deployment, SSO, and data residency.