// Trust & Security Report
Infermedica Sp. z o.o.
Clinical AI triage platform for healthcare systems, including conversational triage, voice agent, pre-visit intake, and follow-up modules. MDR Class IIb certified medical device for patient symptom assessment and care navigation across 30+ countries.
Certifications held
12
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on infermedica.com“Global compliance with GDPR, HIPAA, and SOC 2 Type 2®, built around secure data practices.”
Verify on security.infermedica.com“SOC 2 Type 1 – Service Organization Control audit”
Verify on infermedica.com“Certified with ISO 13485:2016 for medical devices and ISO 27001:2022 for information security.”
Verify on security.infermedica.com“ISO 13485:2016 – Medical device quality management system”
Verify on infermedica.com“Global compliance with GDPR, HIPAA, and SOC 2 Type 2®, built around secure data practices.”
Verify on infermedica.com“Global compliance with GDPR, HIPAA, and SOC 2 Type 2®, built around secure data practices.”
Verify on infermedica.com“Medical Guidance Platform (MGP) is certified as a Class IIb medical device under EU MDR”
Verify on infermedica.com“MGP is certified as a Class IIb medical device under EU MDR and registered with the UK MHRA.”
Verify on security.infermedica.com“PCI DSS – Payment Card Industry Data Security Standard”
Verify on security.infermedica.com“NIS 2 – Network and Information Security Directive compliance”
Verify on security.infermedica.com“Cyber Essentials – Baseline cybersecurity certification”
Verify on security.infermedica.com“Cyber Essentials Plus – Enhanced cybersecurity verification”
> Show 2 unconfirmed / not-held certifications
source: security.infermedica.comNo public evidence of ISO/IEC 42001 AI governance certification found across official Infermedica domain sources.
source: security.infermedica.comNo public evidence of CSA STAR AI certification found.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Configurable: EU (default), AU, US. Data hosted on Google Cloud Services. GDPR standard contractual clauses used for international transfers.
Privacy policy does not explicitly address whether customer health data is used for model training or improvement. AI training practices unclear; contact DPO at dpo@infermedica.com for clarification.
// Security controls
Encryption in transit
TLS encryption for all data in transit; compliant with SOC 2 and HIPAA requirements
security.infermedica.comEncryption at rest
Encrypted data storage; compliant with ISO 27001:2022 and SOC 2 Type 2 standards
security.infermedica.comPenetration testing
Regular penetration testing conducted as part of ISO 27001 compliance
infermedica.comVulnerability reporting
Dedicated security reporting mechanism via https://infermedica.com/report-issue
infermedica.comData retention
Data retained only as long as necessary for stated purposes; sensitive data like contact information retained up to 90 days in Platform API
infermedica.com// Products & data scope
data: Patient symptoms, medical history, assessment outcomes
Class IIb medical device; natural dialogue interface; HIPAA and GDPR compliant; deployed across 30+ countries
data: Voice-based symptom collection; call metadata
Handles initial patient interaction via voice; integrates with call center workflows; structured handoff to nurses
data: Structured patient data pre-consultation
Collects patient history before clinical visit; reduces clinician time on data gathering
data: Patient follow-up interactions
Supports post-visit patient monitoring and engagement
data: Custom integrations; stateful with user/patient entity storage; contact info retained 90 days
Persistent data storage; regional deployment (EU/AU/US); configured by Infermedica team
data: Stateless; symptom data and statistical information only
No personal data storage; processes anonymous symptom information; no personal context retained
// What to watch
- AI training data practices not explicitly documented in public privacy policy; customer data training posture unclear—recommend contacting vendor directly or reviewing Data Processing Agreement addendums for clarity.
- ISO/IEC 42001 AI governance certification is not held; vendor focuses on medical device (MDR Class IIb) and general data security (ISO 27001) instead of dedicated AI governance standard.
- Data residency options are limited to three regions (EU, AU, US); organizations requiring other geographic regions should verify in contracts.
// At a glance
Pricing model
Enterprise SaaS; deployed in healthcare systems, insurers, telehealth platforms; custom pricing based on deployment and patient volume
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Infermedica Sp. z o.o.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.infermedica.com