Security & Compliance
How the RestartiX platform protects patient data, meets regulatory requirements, and maintains trust.
The platform handles sensitive health information for every patient and clinic on the system. Security and compliance are not add-ons — they are built into the architecture from day one.
At a Glance
| Area | What We Do | Learn More |
|---|---|---|
| Data Isolation | Each clinic's data is separated at the database level — no application bug can cross boundaries | How clinic data stays separate |
| Encryption | Data encrypted in transit and at rest, with application-level encryption for the most sensitive fields | What's encrypted and how |
| Audit Trail | Every data mutation is logged — who did what, when, from where — immutable and retained for 6 years | What's logged and for how long |
| GDPR | Full compliance with European data protection law — consent management, data portability, right to erasure | EU data protection |
| HIPAA | Ready for US healthcare market — PHI protection, audit controls, breach notification | US healthcare compliance |
| Patient Rights | Patients control their data — access, correct, delete, export, and withdraw consent at any time | What patients can do |
Medical Device Regulation
The platform's clinical features — exercise prescription, treatment plans, and camera-based clinical measurement tools (virtual goniometer, posture analysis) — qualify it as a Software as a Medical Device (SaMD) under EU MDR.
The measurement tools are expected to classify as Class IIa (moderate risk), because they provide clinical data that specialists use to make treatment decisions — replacing physical instruments like goniometers. This is separate from data protection (GDPR/HIPAA) but equally important for operating legally in the EU healthcare market.
| Regulatory area | What it covers | Learn more |
|---|---|---|
| Data protection (GDPR, HIPAA) | How patient data is collected, stored, shared, and protected | This section |
| Medical device (EU MDR, IEC 62304) | How clinical software is developed, tested, validated, and maintained | Medical Device Classification |
Both are required. GDPR compliance does not satisfy medical device requirements, and vice versa.
Our Roles
| Role | Who | Responsibility |
|---|---|---|
| Data Processor | RestartiX (the platform) | Provides infrastructure, processes data on behalf of clinics. Does not decide what data is collected. |
| Data Controller | Each clinic | Decides which services to offer, what forms to collect, how patient data is used. |
| Data Subject | The patient | Owns their data. Controls which clinics can access their profile. |
RestartiX signs a Data Processing Agreement (DPA) with every clinic. Each clinic is independently responsible for its own privacy policy and patient consent.
Compliance Status
The full compliance checklist covers every legal document and requirement for launch — organized by party (platform, clinic, patient) and phase (day-one EU launch vs. future US expansion).
View the full Compliance Checklist →
See Medical Device Classification for the regulatory assessment of the platform's clinical features.
For developers
Technical implementation details — RLS policies, encryption algorithms, audit middleware, RBAC configuration — are available in the Technical Reference section of the Development Documentation.