Security Enterprise Grade

Security & compliance
built into every layer

ChatMed is designed from the ground up to protect sensitive patient data. Every component meets the highest standards of healthcare data security.

HIPAA
GDPR
SOC 2 Type II
AES-256
TLS 1.3
ISO 27001
Security Architecture

Defence in depth

Multiple independent layers of protection ensure your data is always safe, even if one layer is compromised.

End-to-end Encryption

All patient health information (PHI) is encrypted at every stage — at rest and in transit — using industry-leading standards with zero-knowledge architecture.

  • AES-256-GCM encryption at rest for all PHI
  • TLS 1.3 with forward secrecy for all connections
  • Zero-knowledge design — we can't read your data
  • Encrypted backups with independent key management

Identity & Access Control

Firebase-powered authentication with fine-grained role-based access control (RBAC) ensures only authorised personnel can access sensitive data.

  • Multi-factor authentication (MFA) support
  • Role-based access: Patient, Doctor, Admin
  • Short-lived JWT tokens with automatic rotation
  • Session invalidation and device management

Rate Limiting & Abuse Prevention

Intelligent per-plan, per-IP and per-user rate limiting with automatic threat detection protects your integration from abuse, DDoS attacks and credential stuffing.

  • Per-endpoint adaptive rate limiting
  • Automatic IP blocking on abuse detection
  • Circuit breaker pattern for service protection
  • DDoS mitigation at CDN and API layers

Audit Logs & Compliance

Immutable, tamper-proof audit trails capture every access and modification to PHI. Designed to satisfy HIPAA, GDPR and SOC 2 audit requirements.

  • Immutable audit logs for all PHI access events
  • 90-day log retention (configurable for Enterprise)
  • HIPAA-compliant access logging and reporting
  • Real-time security monitoring and anomaly alerts
Architecture

Security
at every layer

ChatMed's architecture is designed with the principle of least privilege. Each service only has access to the data it needs, when it needs it.

Edge / CDN Layer
DDoS protection, WAF, TLS termination
Auth Gateway
Firebase JWT validation, RBAC enforcement
FastAPI Application
Business logic, rate limiting, audit logging
Encrypted Data Store
MongoDB with AES-256 field-level encryption
Client App
TLS 1.3
API Gateway + Auth
JWT
ChatMed API
RBAC
Encrypted Storage
AES-256
Certifications

Compliance & certifications

ChatMed meets the highest international standards for healthcare data security and privacy.

🏥
HIPAA
Health Insurance Portability and Accountability Act. Enterprise plan includes a signed BAA for full compliance.
🇪🇺
GDPR
General Data Protection Regulation. Full data subject rights implementation and privacy-by-design architecture.
🔒
SOC 2 Type II
Independent audited report covering security, availability, processing integrity, confidentiality and privacy.
🛡️
AES-256
Military-grade Advanced Encryption Standard with 256-bit keys for all stored patient health information.
🔐
TLS 1.3
Latest Transport Layer Security protocol with perfect forward secrecy for all API communications.
📋
ISO 27001
International standard for information security management systems. Systematic approach to protecting sensitive information.
Enterprise Security

Need a HIPAA BAA?

Our Enterprise plan includes a signed Business Associate Agreement and dedicated compliance support for your organisation.

Contact Sales View Pricing