// Trust & Security Report

    Infermedica Sp. z o.o. logo

    Infermedica Sp. z o.o.

    Clinical AI triage platform for healthcare systems, including conversational triage, voice agent, pre-visit intake, and follow-up modules. MDR Class IIb certified medical device for patient symptom assessment and care navigation across 30+ countries.

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Global compliance with GDPR, HIPAA, and SOC 2 Type 2®, built around secure data practices.

    Verify on infermedica.com
    SOC 2 Type 1
    HELD

    SOC 2 Type 1 – Service Organization Control audit

    Verify on security.infermedica.com
    ISO 27001:2022
    HELD

    Certified with ISO 13485:2016 for medical devices and ISO 27001:2022 for information security.

    Verify on infermedica.com
    ISO 13485:2016
    HELD

    ISO 13485:2016 – Medical device quality management system

    Verify on security.infermedica.com
    GDPR
    HELD

    Global compliance with GDPR, HIPAA, and SOC 2 Type 2®, built around secure data practices.

    Verify on infermedica.com
    HIPAA
    HELD

    Global compliance with GDPR, HIPAA, and SOC 2 Type 2®, built around secure data practices.

    Verify on infermedica.com
    EU MDR Class IIb
    HELD

    Medical Guidance Platform (MGP) is certified as a Class IIb medical device under EU MDR

    Verify on infermedica.com
    UK MHRA Registration
    HELD

    MGP is certified as a Class IIb medical device under EU MDR and registered with the UK MHRA.

    Verify on infermedica.com
    PCI DSS
    HELD

    PCI DSS – Payment Card Industry Data Security Standard

    Verify on security.infermedica.com
    NIS 2
    HELD

    NIS 2 – Network and Information Security Directive compliance

    Verify on security.infermedica.com
    Cyber Essentials
    HELD

    Cyber Essentials – Baseline cybersecurity certification

    Verify on security.infermedica.com
    Cyber Essentials Plus
    HELD

    Cyber Essentials Plus – Enhanced cybersecurity verification

    Verify on security.infermedica.com
    > Show 2 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 AI governance certification found across official Infermedica domain sources.

    source: security.infermedica.com
    CSA STAR AI
    NOT CONFIRMED

    No public evidence of CSA STAR AI certification found.

    source: security.infermedica.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Configurable: EU (default), AU, US. Data hosted on Google Cloud Services. GDPR standard contractual clauses used for international transfers.

    Privacy policy does not explicitly address whether customer health data is used for model training or improvement. AI training practices unclear; contact DPO at dpo@infermedica.com for clarification.

    // Security controls

    Encryption in transit

    TLS encryption for all data in transit; compliant with SOC 2 and HIPAA requirements

    security.infermedica.com

    Encryption at rest

    Encrypted data storage; compliant with ISO 27001:2022 and SOC 2 Type 2 standards

    security.infermedica.com

    Access controls

    Role-based access controls with continuous monitoring

    infermedica.com

    Penetration testing

    Regular penetration testing conducted as part of ISO 27001 compliance

    infermedica.com

    Vulnerability reporting

    Dedicated security reporting mechanism via https://infermedica.com/report-issue

    infermedica.com

    Data retention

    Data retained only as long as necessary for stated purposes; sensitive data like contact information retained up to 90 days in Platform API

    infermedica.com

    // Products & data scope

    Medical Guidance Platform (MGP) – TriageConversational AI Triage

    data: Patient symptoms, medical history, assessment outcomes

    Class IIb medical device; natural dialogue interface; HIPAA and GDPR compliant; deployed across 30+ countries

    Voice AgentVoice-based Triage

    data: Voice-based symptom collection; call metadata

    Handles initial patient interaction via voice; integrates with call center workflows; structured handoff to nurses

    Medical Guidance Platform (MGP) – IntakePre-visit Data Collection

    data: Structured patient data pre-consultation

    Collects patient history before clinical visit; reduces clinician time on data gathering

    Medical Guidance Platform (MGP) – Follow-upPost-visit Monitoring

    data: Patient follow-up interactions

    Supports post-visit patient monitoring and engagement

    Platform APIAPI/Integration

    data: Custom integrations; stateful with user/patient entity storage; contact info retained 90 days

    Persistent data storage; regional deployment (EU/AU/US); configured by Infermedica team

    Engine APIAPI/Integration

    data: Stateless; symptom data and statistical information only

    No personal data storage; processes anonymous symptom information; no personal context retained

    // What to watch

    • AI training data practices not explicitly documented in public privacy policy; customer data training posture unclear—recommend contacting vendor directly or reviewing Data Processing Agreement addendums for clarity.
    • ISO/IEC 42001 AI governance certification is not held; vendor focuses on medical device (MDR Class IIb) and general data security (ISO 27001) instead of dedicated AI governance standard.
    • Data residency options are limited to three regions (EU, AU, US); organizations requiring other geographic regions should verify in contracts.

    // At a glance

    Pricing model

    Enterprise SaaS; deployed in healthcare systems, insurers, telehealth platforms; custom pricing based on deployment and patient volume

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Infermedica Sp. z o.o.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.infermedica.com

    > Browse all vendor trust reports