Patient data deserves the highest level of protection. Our security architecture is built from the ground up to meet NHS requirements and exceed industry standards.
Security isn't bolted on to Medelic - it's fundamental to how we build. Every architectural decision, from database design to API structure, considers security implications first.
We apply the principle of least privilege throughout our systems. Access to patient data is strictly controlled, logged, and regularly audited. No one at Medelic can access patient information without explicit authorisation and a valid clinical or operational reason.
Our security team conducts regular penetration testing, vulnerability assessments, and code reviews. We maintain a private bug bounty programme and work with independent security researchers to identify and fix potential issues.
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys managed through dedicated HSMs.
All patient data stored exclusively in UK-based, NHS-approved data centres. No data ever leaves UK jurisdiction.
24/7 security monitoring with automated threat detection and response. Real-time alerting for suspicious activity.
We only collect and process data that's necessary for the clinical purpose. No data is retained beyond its required retention period.
Strict role-based access controls ensure only authorised personnel can access patient data, with full audit trails of all access.
Comprehensive audit logs record all data access and system changes, retained securely for compliance and investigation purposes.
Strict network isolation between production, staging, and development environments. Patient data systems operate in dedicated, hardened network segments.
Enterprise-grade Web Application Firewall protects against OWASP Top 10 vulnerabilities. DDoS mitigation ensures service availability.
All credentials, API keys, and sensitive configuration managed through dedicated secrets management with automatic rotation.
Real-time replication to geographically separated UK data centres. RPO of 1 minute, RTO of 4 hours for critical systems.
All production systems deployed as immutable containers. No manual changes permitted. All updates through tested CI/CD pipelines.
Automated daily backups with point-in-time recovery capability. Backups encrypted and stored in separate security domain.
We achieve "Standards Exceeded" status on the NHS DSPT, demonstrating our commitment to NHS data security standards. Our DSPT submission is independently verified annually.
Our information security management system is certified to ISO 27001:2022, the international standard for information security. Certification covers all aspects of our service delivery.
We hold Cyber Essentials Plus certification, demonstrating robust cyber security practices through independent technical verification and penetration testing.
Full compliance with UK GDPR requirements for processing special category health data, including lawful basis documentation, DPIAs, and data subject rights procedures.
Security is an ongoing process, not a destination. We continuously assess, test, and improve our security posture through a combination of automated tools, manual testing, and independent verification.
By CREST-certified security firms
Automated scanning of all systems and dependencies
All code changes reviewed for security implications
Regular security awareness and phishing simulation
We welcome security researchers who help us keep Medelic secure. If you discover a potential security vulnerability, please report it responsibly.
Report vulnerabilities
security@medelic.comPGP encryption available
Contact us for our public key
Response commitment
Initial response within 24 hours
We're happy to discuss our security architecture in detail with your IT and IG teams. Get in touch to arrange a technical deep-dive.