Security-first architecture

Healthcare data demands practical controls, not just checkboxes.

HIPAA BAA ready US data residency SOC 2 in progress

Request BAA Governance Model

Users & Devices

Physician workstation

Mobile imaging

DICOM / EMR nodes

Authenticated access Device identity

All access requires verified identity

Edge Security

Global CDN

Web application firewall

DDoS mitigation

TLS 1.3 Bot detection Rate limiting

Traffic inspected before reaching platform

Application Services

API gateway

Imaging processor

Auth service

RBAC Signed URLs Service isolation

Services operate under least privilege

Encrypted Storage

DICOM object storage

Metadata database

Audit log store

AES-256 PHI isolated Immutable logs

Data encrypted at rest and logically isolated

Security Controls

Secrets vault Key rotation Vuln scanning Dependency monitor Patch automation Threat detection

Continuous verification across infrastructure

Resilience

Cross-region backups

Immutable snapshots

Disaster recovery

RPO defined RTO targets

Designed for rapid recovery

CuraData is built with layered protections so imaging data remains secure across ingestion, storage, and access.

Infrastructure security

Cloud-native architecture

Enterprise-grade infrastructure with SOC 2 and ISO 27001 certifications. Automatic patching, vulnerability scanning, and infrastructure-as-code for reproducible deployments.

DDoS and edge protection

Global edge network with DDoS mitigation. Web application firewall tuned for healthcare API patterns. Rate limiting and bot detection.

Secrets management

No secrets in code or client bundles. Credentials stored in dedicated vaults with access logging and automatic rotation for service accounts.

Vulnerability management

Continuous dependency and container image scanning. Security patches applied within SLAs. Annual third-party penetration testing.

Core security controls

Network

Application

Data

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Dedicated key management with automatic rotation.

Role-based access control

Granular permissions at account, site, and study levels. SSO/SAML support. MFA for privileged accounts.

Complete audit trails

Every access, modification, and export logged with identity, timestamp, and context. Immutable retention.

Network isolation

Production isolated from dev/staging. Encrypted private networks. Minimized public attack surface.

Data protection

De-identification

HIPAA Safe Harbor compliant. Burn-in text detection. Configurable DICOM tag scrubbing with audit records.

Residency controls

Choose where data lives. Regional deployments for sovereignty. No cross-border transfers without explicit config.

Retention & deletion

Configurable policies. Hard deletion for GDPR/CCPA. Logged and verified requests. Backup purging aligned.

Backup & recovery

Encrypted backups with point-in-time recovery. Regular restore testing. Geo-distributed storage.

Compliance and certifications

HIPAA Ready

Business Associate Agreements available. Technical safeguards implemented per HIPAA Security Rule. Administrative and physical safeguard documentation provided.

SOC 2 Type II In Progress

Currently undergoing audit. Controls aligned with AICPA Trust Services Criteria. Expected completion Q2 2026. Gap assessment complete.

GDPR / CCPA Supported

Data subject rights supported: access, rectification, erasure, portability. Data Processing Agreements available.

FDA 21 CFR Part 11 Aligned

Audit trails, electronic signatures, and access controls designed to support Part 11 compliance for regulated research.

Compliance certifications and attestations vary by deployment type. Contact us to discuss your specific regulatory requirements.

Incident response

Detect 24/7 monitoring

Automated alerting for suspicious access patterns, failed auth spikes, and unusual data exports. Log aggregation and correlation.

Respond Defined procedures

Documented classification, escalation paths, playbooks. Named incident commanders and on-call rotations.

Notify Breach notification

Timelines aligned with HIPAA and state laws. Pre-prepared communication templates. Regulatory reporting documented.

Review Post-incident analysis

Root cause analysis and lessons learned. Process improvements. Continuous security posture enhancement.

Security by design

Secure development lifecycle

Code review required for all changes. Static analysis and dependency scanning in CI/CD. Security-focused design reviews.

Least privilege

Default-deny access. Permissions granted by role requirements, not convenience. Regular access reviews.

Defense in depth

Multiple overlapping security layers. No single point of failure. Compensating controls throughout.

Vendor and subprocessor management

Subprocessor inventory Maintained list of all third parties with data access, including purpose and categories

Data Processing Agreements Signed DPAs with all subprocessors before any customer data access

Security assessments Vendors assessed before onboarding and reassessed annually or on significant changes

Change notification Customers notified in advance of subprocessor changes per contractual terms

Trust and transparency

Security is a continuous process, not a destination. We maintain transparency about our practices and welcome scrutiny.

Independent ethics board

External oversight for data governance, privacy controls, and ethical considerations.

Data safety change process

Formal review for any change touching data handling, with documented rationale and approval chain.

Security documentation

Architecture diagrams, control descriptions, and assessment results available under NDA.

Responsible disclosure

Clear process for security researchers to report vulnerabilities.

Request Security Documentation Learn About Ethics Board

Ready to discuss your security requirements?

We work with security and compliance teams at healthcare organizations of all sizes. Whether you need a BAA, SOC 2 report, or custom security assessment, we're ready to help.

Contact Security Team View Data Safety Process