Healthcare Compliance

Security for Medical Practices

How we protect patient data with privacy-by-design architecture

ISO 27001

About ISO 27001 Certification

Transparent Disclosure

AIAgens is not currently ISO 27001 certified. However, our infrastructure is hosted in ISO 27001 certified datacenters, our processes are aligned with the ISO 27001:2022 framework, and our technology providers are SOC 2 Type II certified, which provides equivalent or superior assurance.

What We Have

  • ISO 27001 aligned policies
  • SOC 2 Type II certified infrastructure
  • GDPR & Swiss FADP compliance
  • EU Data Residency
  • Data Processing Agreement

Legal Basis

  • Swiss FADP does not require ISO 27001
  • Requires "adequate technical measures"
  • SOC 2 provides equivalent assurance
  • Art. 321 CP auxiliary compliance
Privacy by Design

Zero Data Retention Architecture

The safest data is data that is never stored

No Call Recording

Voice conversations are never recorded or stored

Real-Time Processing

Voice data processed in-memory and immediately discarded

Appointments Only

Only scheduling data stored (date, time, name)

No Medical Data Processing

Our AI receptionist handles scheduling only. It does not access patient records, diagnoses, or any clinical information.

Swiss Law

Swiss Legal Framework

Regulation Requirement Status
nLPD/FADP Adequate technical and organizational measures Compliant
Art. 321 CP Professional secrecy for healthcare auxiliaries Compliant
GDPR EU data protection regulation Compliant
Swiss-US DPF Data Privacy Framework certification Certified

Art. 321 CP - Auxiliary Status

Under Swiss criminal law, IT service providers are recognized as "auxiliaries" of healthcare professionals. This means we are bound by the same professional secrecy obligations as your staff, with criminal penalties for violations.

Technical Security Measures

Enterprise-grade protection

Encryption

TLS 1.3 in transit, AES-256 at rest

EU Data Center

ISO 27001 certified infrastructure in Frankfurt

Access Control

Role-based access, need-to-know principle

24/7 Monitoring

Real-time threat detection and alerting

Audit Trails

Immutable logs of all system access

Daily Backups

Encrypted backups with 30-day retention

Contractual Commitments

What we offer in writing

Data Processing Agreement

GDPR Art. 28 compliant DPA with standard contractual clauses

Confidentiality Clauses

Art. 321 CP aligned confidentiality obligations

Breach Notification

24-hour notification commitment for any security incidents

Data Deletion

Guaranteed data erasure upon contract termination

Questions?

Our team is ready to address your specific security requirements

Contact Security Team View Trust Center