MedMI is built to satisfy the stringent vendor procurement requirements of global medical device OEMs, RA/QA teams, and notified bodies.
Your proprietary device data, risk assessments, and clinical inputs are never used to train public or proprietary large language models. All AI processing is conducted via secure enterprise APIs with explicit zero-retention agreements.
We utilize enterprise-tier AI providers (Google Gemini / OpenAI) exclusively through their secure, SOC2-compliant API endpoints. We do not use consumer-grade chat interfaces for data processing.
Prompts are not logged by our AI partners for review. Generated outputs are strictly stored within your private, tenant-isolated Supabase database instance to maintain your Risk Management File version history.
MedMI utilizes Supabase (PostgreSQL) for backend infrastructure. Each customer operates within a strictly enforced Row-Level Security (RLS) paradigm, ensuring cryptographic separation of tenant data at the database level.
Our primary servers and databases are hosted on AWS infrastructure located in us-east-1 (N. Virginia). EU-specific localization is available for Enterprise tier customers to satisfy strict GDPR data residency requirements.
Data is encrypted at rest using AES-256 and in transit using TLS 1.2+. Database volumes and backups are fully encrypted by default.
Upon account termination or explicit request, all tenant data is hard-deleted from our active PostgreSQL databases within 7 days. Backups containing the data are cryptographically wiped during the standard 30-day rotation cycle.
The platform enforces strict RBAC. Account Owners can provision Admins, Editors (Engineers), and Viewers (Auditors). Actions like Risk Plan approval require elevated permissions.
MedMI engineers have zero standing access to customer data. Database access is strictly governed by just-in-time (JIT) provisioning, requires MFA, and is heavily audited. Support teams cannot view your risk files without an explicit, time-bound access token provided by you.
We maintain a comprehensive BCDR plan. Database backups are taken dynamically (Point-in-Time-Recovery) and stored in geographically redundant AWS S3 buckets. Our Recovery Point Objective (RPO) is 1 minute, and Recovery Time Objective (RTO) is 4 hours.
In the event of a suspected security anomaly, our automated systems trigger a severity-based incident response protocol. Customers will be notified within 24 hours of any confirmed breach affecting their tenant data.
MedMI operates its infrastructure in strict adherence to ISO 27001 information security principles. Formal ISO 27001 certification and SOC2 Type II audits are currently on our immediate compliance roadmap. Our foundational cloud provider (AWS) and backend provider (Supabase) are already SOC2 Type II and ISO 27001 certified.
A standard GDPR-compliant Data Processing Agreement (DPA) is available for execution for all Starter and Professional tier customers. Custom DPAs can be negotiated for Enterprise deployments.
Enterprise OEM teams can request our comprehensive security whitepaper and standard vendor questionnaire responses.
Request Security Packet