Compliance & Certification

Certified to every
standard that matters.

MediVault maintains active certifications across HIPAA, Swiss FADP, ISO 27001, and SOC 2 Type II. Our compliance posture is independently audited and continuously monitored — not just a checkbox exercise.

Last HIPAA auditDec 2024
FADP re-certificationSep 2023
ISO 27001 last reviewNov 2024
Pen testJan 2025
Next audit dueDec 2025
HIPAA
Health Insurance Portability & Accountability Act
United States · 1996
§164.312(a)(2)(iv)
Encryption & Decryption

All ePHI is encrypted using AES-256-GCM both at rest and in transit using TLS 1.3.

§164.312(b)
Audit Controls

Cryptographically signed, immutable audit logs for every record access event.

§164.312(c)(1)
Integrity

HMAC-SHA512 integrity verification on every data object. Any modification is detected immediately.

§164.312(e)(2)(ii)
Transmission Security

TLS 1.3 enforced for all API communications. HSTS with 2-year max-age.

FADP / nDSG
Bundesgesetz über den Datenschutz (revised)
Switzerland · Effective 1 Sep 2023
Art. 8 nDSG
Datensicherheit

Technical and organisational measures proportionate to the risk. MediVault implements a full ISO 27001-aligned security framework.

Art. 25 nDSG
Privacy by Design

Data minimisation and purpose limitation are enforced at the schema level. Consent gates are embedded in the data model.

Art. 29 nDSG
Meldepflicht

Automated breach detection with <72h notification SLA to the FDPIC and affected data subjects.

Art. 30 nDSG
Auftragsbearbeitung

Standard AVV (data processing agreement) available for all customers. No sub-processors outside Switzerland.

ISO 27001
Information Security Management System
International · 2022 Edition
Annex A.8.24
Use of Cryptography

Defined cryptographic policy covering key lengths, algorithms, and key lifecycle management.

Annex A.8.15
Logging

Centralised, append-only log infrastructure with automated alerting on anomalous access patterns.

Annex A.8.8
Vulnerability Management

Continuous vulnerability scanning, monthly penetration tests, and a responsible disclosure programme.

Annex A.5.23
Cloud Security

All cloud services audited against ISO 27017 and 27018. Swiss-only data centre footprint.

SOC 2 Type II
Service Organization Control
AICPA · Annual Audit
CC6.1
Logical Access Controls

MFA enforced for all administrative access. Principle of least privilege applied at every level.

CC7.2
Monitoring

24/7 SIEM with automated alerting. Mean time to detect (MTTD) < 4 minutes.

CC9.2
Risk Mitigation

Annual third-party risk assessment. Vendor due diligence programme for all sub-processors.

A1.2
Availability

99.99% SLA guaranteed contractually. RPO < 1 hour, RTO < 4 hours.

Audit documentation

We publish redacted versions of our audit reports annually. Full reports are available to enterprise customers under NDA.

MediVault SOC 2 Type II Report 2024
PDF
ISO 27001 Certificate of Conformity
PDF
FADP Data Processing Agreement (AVV)
PDF
HIPAA Business Associate Agreement (BAA)
PDF