Security & Trust

TranslateMed is built for healthcare — PHI-safe by design, with enterprise-grade encryption, infrastructure, and compliance. Here's exactly how we handle your data.

Last updated: May 22, 2026

TLS 1.3 in transit

Documents never stored

Cloudflare edge

No AI training

Data Handling

Your documents are processed in memory and never written to permanent storage. Only the structured output (code mappings, confidence scores) is retained for your history.

Documents Never Stored

Your documents are processed in memory and returned to you — never written to our database. Document content does not persist after a translation completes.

Metadata vs. Content

Translation metadata (codes, mappings, confidence scores) is stored for your history. Document content is not. Your clinical text never touches our database.

Encryption Everywhere

All data is encrypted in transit using TLS 1.3. Stored translation metadata is encrypted at rest using AES-256.

No Content Logging

We never include document content in application logs. PHI safety is enforced at the code level — not just as a policy.

Infrastructure

Built on industry-leading cloud infrastructure with automatic failover, global distribution, and strict data isolation between tenants.

Cloudflare Global Edge

Hosted on Cloudflare's global edge network — low-latency processing with DDoS protection and automatic failover built in.

Neon Serverless PostgreSQL

Translation metadata is stored in Neon serverless PostgreSQL with automated backups, point-in-time recovery, and SOC 2 compliant hosting.

Row-Level Tenant Isolation

Your data is isolated at the database level using row-level security. No other organization can query or access your translation history.

Compliance

Current status of compliance certifications and frameworks. We are transparent about what is live today and what is on our roadmap.

HIPAA

Business Associate Agreements (BAAs) are available for Enterprise customers. Our architecture is designed for PHI-safe processing — documents processed in memory, no content logging.

Active

GDPR

EU data processing compliant. Data Processing Agreements (DPAs) available. EU users can request data access, rectification, or deletion at any time.

Active

SOC 2 Type II

SOC 2 certification is on our roadmap — Type I targeted for Q1 2027, Type II for Q3 2027. View our full SOC 2 roadmap.

Planned

No AI Training on Your Data

We never use your documents to train AI models — not TranslateMed's models, and not Anthropic's. Our commercial API agreement with Anthropic explicitly prohibits this.

Active

AI Transparency

We believe you should know exactly how AI is used in your translations — what it does, what it doesn't do, and how accurate it is.

Verified Translation Accuracy

Translation accuracy is continuously measured by automated evaluation across all supported corridors (47 countries). Results are reproducible and re-run on every release. All mappings are verified against authoritative regulatory sources.

Verified Knowledge Base

Code mappings are verified against authoritative medical coding standards. Every mapping includes a confidence indicator and source attribution.

AI-Assisted Processing Labeled

When AI assists with a mapping, it is clearly labeled with a confidence badge. You always know the confidence level of every mapping.

Published Evaluation Methodology

Our evaluation framework, test cases, and scoring rubric are publicly documented. See exactly how we measure accuracy across all 47 countries and 149 corridors.

Per-Corridor Accuracy Data

Accuracy breakdowns for each supported country pair — real eval results, not marketing claims.

Enterprise Security Features

Additional security controls available on Enterprise plans for organizations with stricter requirements.

Self-Hosted Deployment

Deploy TranslateMed on your own infrastructure — your servers, your network, your keys. No data leaves your environment.

Per-Tenant Encryption Keys

Bring your own encryption keys or use per-tenant keys managed by TranslateMed. Complete cryptographic isolation between organizations.

SSO / SAML Integration

Single sign-on via SAML 2.0 or OIDC. Integrate with Okta, Azure AD, Google Workspace, and other identity providers.

Audit Logging

Immutable audit log of all actions — who translated what, when, from which IP, with what result. Exportable for compliance reporting.

Custom Data Retention

Configure exactly how long translation metadata is retained. Set automatic deletion schedules aligned with your organization's data governance policies.

EU Data Residency

All data is processed and stored within the European Union. TranslateMed is built for EU healthcare compliance — every provider is EU-hosted or GDPR-covered.

Data Stored in EU

Database hosted in Frankfurt, Germany (Neon eu-central-1). R2 document storage in EU jurisdiction. Cloudflare edge processing restricted to EU data centers.

EU Provider Stack

Plausible Analytics (Estonia/Germany), Neon Postgres (Frankfurt), Mailgun EU, Stripe Payments Europe (Ireland). Each provider holds a GDPR-compliant Data Processing Agreement.

Offline Mode — Zero External APIs

Our default translation approach uses verified local mappings with no data sent to third-party services. Available for customers with strict data sovereignty requirements.

Data Processing Agreements

DPAs in place or in progress with all data processors: Cloudflare, Neon, Stripe, Mailgun. Anthropic DPA required before using AI-assisted features with EU patient data.

Security Contact

Found a vulnerability? Have a compliance question? Evaluating TranslateMed for your healthcare organization?

Security questions

[email protected]

Enterprise inquiry