Built for the standards your teams demand.

Q: Is Medesto Health HIPAA compliant?

Yes. Medesto Health is fully HIPAA compliant. All patient health information is protected at every point in its lifecycle through encryption, access controls, audit logging, and Business Associate Agreements with every covered entity we work with.

Q: Does Medesto have SOC 2 certification?

Medesto Health has implemented aligned controls across the SOC 2 Trust Service Criteria, covering security, availability, and confidentiality. Security documentation and certifications are available upon request.

Healthcare software that handles protected health information carries a non-negotiable obligation. Every layer of the Medesto platform is designed to meet and exceed the industry's most demanding security and compliance frameworks, so your teams can operate with confidence.

Frameworks & Certifications

Eight standards. One platform.

Medesto is aligned to the full stack of healthcare security standards, from federal mandates to globally recognized benchmarks. Certifications and security documentation are available upon request.

HIPAA

Patient health information protected at every point in its lifecycle. Full compliance with the Privacy Rule, Security Rule, and Breach Notification Rule.

SOC 2

Aligned controls across the SOC 2 Trust Service Criteria: security, availability, processing integrity, and confidentiality.

HITRUST CSF

Healthcare's most comprehensive security framework, combining ISO, NIST, PCI, and HIPAA requirements into a single certifiable standard.

NIST CSF v1.1

Federal government's gold standard for managing cybersecurity risk, covering Identify, Protect, Detect, Respond, and Recover functions.

OWASP ASVS 4.0

Globally recognized benchmark for secure software development. All application code is built against ASVS Level 2 requirements with targeted Level 3 controls.

WCAG 2.2 AA

Full web accessibility regardless of assistive technology. Every interface element meets or exceeds WCAG 2.2 Level AA success criteria.

Encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.2+). No unencrypted pathways to patient or client data exist anywhere in the platform.

Documentation

Full security documentation, certifications, and BAA agreements available upon request for qualified prospects and existing customers.

Security is a design constraint, not a feature.

Secure by Default

Every system component ships with least-privilege access, deny-by-default network policies, and encryption enabled from day one. Security is never bolted on after the fact.

Defense in Depth

No single control is relied upon to protect sensitive data. Network segmentation, application-layer controls, identity verification, and audit logging form overlapping defensive layers.

Continuous Monitoring

Automated security scanning, dependency auditing, and anomaly detection run continuously across the entire platform. Threats are detected and responded to before they become incidents.

Minimal Data Collection

We collect only what is operationally necessary. Data retention policies are strictly enforced, and PHI is never used outside its contractually defined purpose.

Transparent Accountability

Every access event, configuration change, and data movement is logged, immutable, and available for audit. Your security and compliance teams always have a clear picture.

Vendor Risk Management

All third-party vendors and subprocessors undergo security assessment before onboarding. BAAs are in place with every covered entity and business associate we engage.

Common Questions

Technical FAQ

Is Medesto Health HIPAA compliant?

Yes. Medesto Health is fully HIPAA compliant. All protected health information is encrypted in transit and at rest, access is controlled via role-based permissions, and all activity is audit-logged. Business Associate Agreements are available for every covered entity we work with.

Does Medesto have SOC 2 certification?

Medesto Health operates with controls aligned to the SOC 2 Trust Service Criteria, covering security, availability, and confidentiality. Full security documentation, including certifications, is available to qualified prospects and customers upon request.

How is data encrypted in Medesto's platform?

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. There are no unencrypted pathways to patient or client data anywhere in the platform. Encryption keys are managed with hardware-backed key management services.

What happens in a security incident?

We maintain a formal incident response plan aligned to NIST SP 800-61. In the event of a confirmed security incident, affected customers are notified within the timeframes required by HIPAA's Breach Notification Rule. A dedicated security contact is available to customers 24/7.

Where can I request security documentation?

Full security documentation, certification reports, and BAA agreements are available for qualified prospects and existing customers. Reach out through the Request a Demo form below or contact your Medesto account representative directly.

Ready to review our security documentation?

Our security team is available to walk through certifications, answer compliance questions, and execute BAAs for qualified organizations.

Request a Demo