Skip to content

Security: awamser/medplum

Security

SECURITY.md

Medplum Security

Our Commitment to Security

Our #1 priority is your trust.

Medplum uses enterprise-grade security and regular audits to ensure you're always protected. We undergo regular penetration testing and security reviews designed to be SOC 2 compliant.

This commitment to security is ingrained in our culture.

Application Security

  • Encryption - Data is encrypted in transit with TLS 1.2. Data is encrypted at rest with AES.
  • Continuous Monitoring - Independent third-party penetration, threat, and vulnerability testing.
  • Data Handling - Medplum is in full compliance with GDPR and has support for data deletion.
  • SSO - User access controls with single sign on.
  • Secure Hosting - Medplum's cloud environments are backed by AWS' security measures.
  • RBAC - Role based account access workflows.

Continuous Security Commitment

  • Penetration Testing - We perform an independent third-party penetration test at least annually to ensure that the security posture of our services is uncompromised.
  • Security Awareness Training - Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
  • Third-Party Audits - Our organization undergoes independent third-party assessments to test our security controls.
  • Roles and Responsibilities - Roles and responsibilities related to our information security program and the protection of our customer's data are well defined and documented.
  • Information Security Program - We have an information security program in place that is communicated throughout the organization. Our information security program follows the criteria set forth by SOC 2.
  • Continuous Monitoring - We continuously monitor our security and compliance status to ensure there are no lapses.

Report Vulnerabilities

Found a potential issue? Please help us by reporting it so we can fix it quickly.

Contact us at [email protected]

There aren’t any published security advisories