Security at MedMe.
Pharmacies trust us with patient health information every day. Here's how we earn that trust β through certifications, controls, regional data residency, and a security program built into the product, not bolted on.
Independent attestations.
External auditors validate our controls annually. Reports available under NDA.
SOC 2 Type II
Annual audit covering security, availability, confidentiality, and processing integrity. Most recent report dated November 2025; next audit underway.
HIPAA Aligned
Administrative, physical, and technical safeguards aligned to the HIPAA Security Rule. BAA available on request. See our HIPAA page.
HITRUST CSF r2
Validated against HITRUST CSF r2 covering 19 control domains. Certification renewed November 2025.
PIPEDA & Provincial
PIPEDA, PHIPA, FIPPA, HIA, BC PIPA, and equivalent provincial laws addressed. See our Canadian privacy page.
Regional data residency.
Customer data never leaves its region. Period.
US United States
Customer environments hosted in AWS us-east-1 (Northern Virginia) with cross-AZ replication and snapshot backups in the same region. Disaster recovery to AWS us-east-2.
- Primary region: us-east-1 Β· DR: us-east-2
- BAA executed with AWS
- FIPS 140-2 validated cryptography
- RTO: 4 hours Β· RPO: 15 minutes
CA Canada
Customer environments hosted in AWS ca-central-1 (MontrΓ©al) with cross-AZ replication. All Canadian customer data β PHI included β remains in Canada.
- Primary region: ca-central-1 (MontrΓ©al)
- No cross-border replication for PHI
- Provincial sovereignty options on request
- RTO: 4 hours Β· RPO: 15 minutes
How we protect data.
Eight pillars of our security program. Validated by external auditors and continuously monitored.
Encryption
AES-256 at rest using AWS KMS with customer-isolated key hierarchies. TLS 1.3 in transit with strong cipher suites. Encrypted database backups, encrypted log archives.
Access control
Role-based access control (RBAC) inside the product. SAML 2.0 / OIDC SSO for enterprise. Multi-factor authentication (TOTP, WebAuthn) required for all administrative roles. Just-in-time privilege escalation for engineering.
Audit logging
Tamper-evident logs of all administrative actions, data accesses, and configuration changes. Logs retained for 7 years (US) and per provincial requirements (CA). Available to customers via the audit-log API and monthly summary report.
Vulnerability management
Continuous SAST + dependency scanning in CI. Quarterly external penetration testing by NCC Group. Public vulnerability disclosure program at security.txt. Remediation SLAs by severity.
Incident response
24Γ7 on-call security engineer. Incident-response runbook tested quarterly. Customer notification within 24 hours of confirmed PHI/PI incident β 72 hours under HIPAA, faster under provincial laws when required.
Secure development
Mandatory secure-coding training. Threat-modeling at design. Required code review with security checklist for sensitive modules. Pre-commit secret scanning. Reproducible builds.
Vendor management
Tiered vendor risk assessments. Annual reviews of critical sub-processors. BAA / DPA executed with every vendor that processes customer data. Public sub-processor list with 30-day notice for changes.
Privacy by design
Data-minimisation defaults. PHI fields tagged at the schema level and routed only through approved code paths. Privacy review for every new feature touching personal data. De-identification before any analytics.
Continuous monitoring
EDR on every workstation. SIEM aggregating cloud, app, and endpoint logs. Behavioural anomaly detection on production access. Alert routing to on-call within seconds.
Found something? Tell us.
We welcome reports from security researchers and offer a public coordinated disclosure program.
If you believe you've discovered a vulnerability in MedMe's services, please email security@medmehealth.com with details and proof-of-concept where possible. We commit to:
- Acknowledging your report within 1 business day;
- Investigating and providing a status update within 5 business days;
- Crediting you publicly (with permission) once the issue is resolved;
- Not pursuing legal action against good-faith researchers operating within our published scope.
Full scope, rules of engagement, and Hall of Fame are available at medmehealth.com/.well-known/security.txt.
Need our security package for your evaluation?
SOC 2 report, HITRUST certificate, penetration-test summary, sub-processor list, BAA template, and policy documents available under NDA within 1 business day.