Trust & Security

Security & Compliance

Patient data never leaves your infrastructure. Never stored, never cached, never written to disk. It flows through memory and disappears. That's not a feature — it's the architecture.

Stateless Processing

Your lab report goes in, structured data comes out, nothing stays behind. No database, no temp files. If someone pulled the plug mid-request, there'd be nothing to find.

Rate Limiting

Configurable request throttling per API key with sliding window counters. Prevents abuse and ensures fair resource allocation across tenants.

Security Headers

Content Security Policy, HSTS with preload, X-Frame-Options DENY, X-Content-Type-Options, and Referrer-Policy headers on every response.

Network Policies

Kubernetes NetworkPolicy manifests for pod-level isolation. Ingress and egress rules ensure only authorized traffic reaches the service.

Authentication

API key authentication using timing-safe comparison to prevent timing attacks. Keys are validated on every request with constant-time equality checks.

Audit Trail

Every request is logged for compliance — correlation IDs, timestamps, and processing metadata. No personal data ever appears in logs.

Data Flow

How Your Data Moves

From upload to response, data exists only in memory. No intermediate storage, no temporary files, no database writes.

Upload

PDF or image sent via API

In-Memory Processing

Extraction, parsing, LOINC mapping

Structured Response

FHIR R4 JSON returned

Zero data retention. Personal health data never touches disk. All processing is ephemeral and stateless.

Self-Hosted AI

Your AI, Your Servers, Your Rules

The extraction engine, the language model, the matching algorithms — every piece runs inside your infrastructure. No patient data ever touches an external server.

Architecture Comparison

MedExtract

Your Infrastructure

API Server

AI Models

AI Processing

Data inResults out

No external connections required

Generic cloud providers

Your Server

Your Application

Patient data sent externally

Third-party generic cloud API

Why Self-Hosted AI Matters for Healthcare

All AI models are developed and trained in-house by our engineering team

No data is ever sent to OpenAI, Google, AWS, or any third-party API

Models run entirely within your infrastructure — Docker, Kubernetes, or bare metal

Full source code audit available for Enterprise customers

GDPR Article 28 compliant — no sub-processors involved in data processing

What happens to patient data: MedExtract vs. cloud alternatives

FeatureMedExtractCloud APIs

Patient data stays local

Always

Sent to cloud

Proprietary AI models

In-house

Third-party

Zero external API calls

Guaranteed

Required

On-premise deployment

Full support

Cloud only

GDPR Art. 28 compliant

By design

Varies

Standards

Standards Compliance

Built on healthcare interoperability standards to ensure compatibility with existing clinical systems.

FHIR R4

Output conforms to HL7 FHIR R4 specification with DiagnosticReport and Observation resources.

LOINC

27,000+ test name dictionary entries mapped to standardized LOINC codes through an advanced matching algorithm.

UCUM

All units are normalized to the Unified Code for Units of Measure with analyte-specific conversion factors.

GDPR Compliant

Designed for GDPR compliance with zero data retention, stateless processing, and in-memory-only data handling.

Ready to see it running in your infrastructure?

Book a 30-minute technical walkthrough. Bring your compliance checklist — we'll walk through the architecture, the data flow, and every question your DPO will ask.

Security Docs Contact Us