Current state and trajectory against four standards: ISO/IEC 27001:2022, ISO 27799 (healthcare overlay), AICPA SOC 2 Type II, and the NHS Data Security & Protection Toolkit. Plus the Data Processing Addendum framework, sub-processor list with EU-region designations, and cross-border data-transfer mechanisms. Save as PDF (⌘P / Ctrl+P) for your compliance officer.
Document version: 2026-05-14 · Latest version always at medicarehis.com/compliance-roadmap
MediCare HIS is not yet formally certified to any external standard. We've done the work to be measurable against them — gap analyses with per-control evidence are maintained in our internal controls inventory and made available to procurement / audit teams under NDA — and we are progressing through formal certification on a Stage-gated cadence. The honest framing: we hold more compliance evidence than most local vendors, less than fully-certified enterprise vendors. The trajectory below is what we commit to deliver.
Current state: Pre-certification gap analysis maintained. ~80% of technological controls (Annex A.8) met by implemented controls with per-control evidence (available under NDA). Organisational and people controls addressed at the level appropriate to founder-led Stage 1.
Trigger to certify: First paying customer (Stage 1 end) opens auditor selection. 12-month observation window through Stage 2. Type I assessment at end of Stage 2.
Expected timeline to formal cert: 18–24 months from first paid customer.
Evidence today: Annex-A control mapping published; pen-test scope finalised and engagement scheduled; quarterly committee minutes pattern established.
Current state: Per-theme mapping published covering PHI confidentiality / integrity / availability / auditability, patient consent and rights, patient identification (cross-tenant 404 isolation), role-based clinical access, audit log retention, integration security, backup, personnel.
Trigger to certify: First teaching hospital deployment typically opens 27799 conversations.
Expected timeline: Tracks 27001 certification (typically done together).
Differentiator: Most African HIS vendors do not produce a 27799 mapping at all. Publishing one places us in a different conversation with healthcare buyers and their auditors.
Current state: Roadmap defined. Security (mandatory) + Availability + Confidentiality TSCs in scope at Stage 1. ~80% of the SOC 2 control population is already met by implemented controls — the remaining work is largely evidence-collection cadence rather than missing controls.
Trigger: First international or insurance-integrated customer.
Expected timeline to Type II report: 30–42 months from first paid customer (Stage 2 audit-readiness, then Stage 3 12-month observation window).
Sequencing rationale: ISO 27001 first because African and European customers ask for that. SOC 2 second because international (US/UK) customers ask for that. Both cover similar ground; the work compounds.
Current state: Standard-by-standard mapping published. 9 of 10 National Data Guardian standards effectively met today. The 10th (annual training records) closes at Stage 2 hiring.
Trigger: Not certifying — we are not an NHS supplier. Mapping serves as the strongest signal we can offer on healthcare-specific security maturity for African and donor-funded buyers.
Why it matters: NHS is the most evolved healthcare security context in the world (active iteration after real incidents like WannaCry). Being measurable against it is a meaningful signal.
Going forward: Each annual NDG-10 revision will be re-mapped and the gap published.
We operate as a data processor. Each deploying hospital is the data controller for its patients' data. This split is captured in the DPA attached to every customer contract.
Every sub-processor that processes PHI on our behalf has, at minimum: confidentiality obligations on its personnel, equivalent or stronger security controls than ours, sub-processor list disclosure to us with notification of changes, audit/inspection rights (typically via SOC 2 / ISO 27001 reports), data-subject rights support, and breach notification within a time window aligned with our customer obligations.
| Sub-processor | Purpose | Region | DPA |
|---|---|---|---|
| Fly.io | Application runtime (cloud deployment) | EU (Frankfurt) default; region pin available | Signed |
| Cloudflare | CDN, WAF, DDoS — network metadata only | Global edge | Signed |
| Backblaze B2 | Off-host backup + audit chunk storage (client-side encrypted) | EU | Signed |
| Resend | Outbound transactional email | EU | Signed |
| Sentry | Error reporting with PHI-scrubbed events | EU | Signed |
| Anthropic | AI features (per-tenant opt-in only) | Per-API | Signed |
For per-hospital server and on-premise deployment models, the cloud sub-processor list is reduced — Fly and Cloudflare may not apply if the deployment is in your own data centre. Backblaze remains (for off-host backup) unless you've configured an alternative. Sentry, Resend and Anthropic remain regardless of deployment model unless explicitly disabled at your tenant level.
By default, customer data is stored in EU regions (Fly Frankfurt for live data, Backblaze EU region for off-host backup). Region pinning is available at Enterprise tier — Singapore (APAC), Sydney (Australia), Johannesburg (South Africa), São Paulo (Latin America). For hospitals in jurisdictions with strict data-locality rules, the per-hospital server install or on-premise deployment puts data physically in your facility.
| Class | Retention |
|---|---|
| Live PHI | Lifetime of patient relationship + per-jurisdiction medical-records retention (typically 7–10 years post last contact) |
| Audit chain | 7 years in immutable off-host storage (B2 Object Lock Compliance mode) |
| Snapshots (hourly) | 48h hot + 28 daily local + 90d off-host hide + 30d off-host delete |
| Sentry events | 90 days (PHI-scrubbed) |
| Session records | 2 hours (rolling) |
| Public marketing logs | 30 days |
Companion documents: Procurement evidence pack · Brochure · Security whitepaper · Deployment architecture · SLA · Support · Onboarding
Enter the subdomain your IT team gave you. We'll redirect you to your hospital's secure login.