// Trust & Security Report
Nano-X Imaging Ltd.
Medical imaging devices (Nanox.ARC, Nanox.ARC X — FDA-cleared digital tomosynthesis systems) and AI-powered diagnostic software (Nanox.AI with HealthCCS cardiac, HealthFLD liver, HealthOST bone solutions; Nanox.MARKETPLACE teleradiology; Nanox.Health IT infrastructure services)
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on nanox.vision“Nanox publishes a Notice of Privacy Practices Under HIPAA stating that, although it operates as a service provider rather than a covered entity under HIPAA, it has chosen to adopt HIPAA Rules in maintaining Protected Health Information (PHI); the Nanox Health IT page separately states "HIPAA-aligned security controls" and "Incident response planning & readiness." No public evidence found of a specific breach-notification timeline or of AWS infrastructure being independently HIPAA-certified.”
Verify on nanox.vision“Privacy policy (April 2024) states GDPR adherence with lawful processing basis, data subject rights, Standard Contractual Clauses for international transfers, and DPA framework for processor obligations”
Verify on nanox.vision“Nanox.ARC received FDA 510(k) clearance as digital multi-source 3D tomosynthesis imaging system; Nanox.AI solutions are FDA-cleared for diagnostic highlighting and disease detection; Nanox.ARC X received FDA clearance for general use including musculoskeletal, pulmonary, intra-abdominal indications”
Verify on investors.nanox.vision“HealthOST (bone solution) received EU MDR CE mark certification enabling commercialization across Europe per highest regulatory standards for medical software; Nanox.ARC received CE mark in February 2025”
> Show 6 unconfirmed / not-held certifications
source: nanox.visionNo public evidence of ISO 27001 certification; the term does not appear anywhere in Nanox's published Privacy Policy or other public disclosures reviewed.
source: nanox.visionNo public evidence of SOC 2 certification; the term does not appear anywhere in Nanox's published Privacy Policy or other public disclosures reviewed.
No public evidence of PCI-DSS certification found in vendor documentation or public disclosures
No public evidence found in vendor documentation; company emphasizes HIPAA and GDPR compliance but does not reference these additional ISO standards
No public evidence of AI-governance-specific certification found; company focuses on medical device regulatory compliance (FDA, CE) and healthcare data security standards
No public evidence found in vendor documentation or independent sources
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States and other countries; international transfers use Standard Contractual Clauses
Nanox.AI uses a proprietary data lake of millions of anonymized HIPAA-compliant medical images and 500+ million imaging scans from its own Nanox.ARC devices and healthcare partnerships. These are anonymized for AI model development. No evidence found of training on customer-provided data without appropriate anonymization or consent. Medical imaging data is inherently sensitive and appropriately handled under HIPAA-compliant processes.
// Security controls
Encryption in transit and at rest
Implemented; technical safeguards include encryption, access controls, and monitoring per privacy policy
nanox.visionAccess controls and authentication
Implemented; administrative controls include policies, training, and incident response procedures
nanox.visionHIPAA-aligned security controls
Yes; Nanox Health IT page states "HIPAA-aligned security controls," "Integrated cybersecurity monitoring & threat mitigation," and "Incident response planning & readiness." No public evidence found that underlying AWS infrastructure itself carries an independent HIPAA certification.
nanox.visionBreach notification
Procedures established; 60-day notification timeline per HIPAA requirements
nanox.vision// Products & data scope
data: Patient medical images; FDA-cleared, CE-marked; stationary multi-source 3D tomosynthesis system
Primary imaging device; core regulatory approval achieved; generates large imaging datasets used for AI training
data: Patient medical images; FDA-cleared general use (April 2025); next-generation compact tomosynthesis system
Latest generation device; broader indication set than ARC
data: Patient imaging data from CT/radiography; FDA-cleared solutions for disease detection (cardiac, liver, bone); trained on 500M+ anonymized images
AI solutions for early disease detection; uses anonymized data for model training; HealthOST received CE Mark MDR in 2024
data: Patient medical images and diagnostic reports; connects imaging providers globally
Platform for secure imaging sharing and remote diagnostics
data: Healthcare provider IT systems and operations; HIPAA-compliant infrastructure
Healthcare IT services, infrastructure support, cybersecurity and compliance solutions
// What to watch
- FINANCIAL RISK: SEC filings (2025) note 'substantial doubt about the company's ability to continue as a going concern' without additional funding. Accumulated deficit ~$448.8M; net loss ~$75M in 2025. This impacts vendor stability.
- COMPLIANCE CERT UNCERTAINTY: No public evidence of ISO 27001 or SOC 2 certification was found anywhere in Nanox's published Privacy Policy or other public disclosures reviewed; these terms do not appear in the documentation. Direct vendor verification recommended before assuming either certification is held.
- NO TRUST CENTER: Unlike comparable enterprise healthcare SaaS vendors, Nanox does not maintain a centralized security/trust center page. Compliance docs are scattered across Privacy Policy, HIPAA Notice, and Health IT pages.
- AI-TRAINING POSTURE IMPLICIT: Nanox.AI trains on millions of anonymized medical images, but there is no explicit customer opt-out policy documented for AI training. However, training appears limited to anonymized data and internal/partnership datasets, not customer-specific patient data.
- HIPAA POSTURE ROLE AMBIGUITY: Nanox operates as a service provider (not a covered entity) under HIPAA. Company elects to adopt HIPAA Rules. BAA (Business Associate Agreement) availability not explicitly stated in public documentation; likely available but requires inquiry.
// At a glance
Pricing model
Device + SaaS (Nanox.ARC hardware + cloud software subscriptions; AI solutions as SaaS; Health IT as managed services)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Nano-X Imaging Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
nanox.vision