Security & Compliance

Every product we build handles, or sits next to, sensitive health data. We treat security and compliance as first-class engineering concerns, not paperwork bolted on before launch. This page summarises how we approach them. Specific controls are tailored to each engagement and the regulatory environment it operates in.

Regulatory frameworks we build to

• ▹HIPAA — for US-market products, with Business Associate Agreements in place before any PHI is processed
• ▹UK GDPR & the Data Protection Act 2018 — for UK products and NHS-connected providers
• ▹EU GDPR — for EU-market products
• ▹NHS Data Security and Protection Toolkit — for NHS-connected systems
• ▹DCB0129 / DCB0160 clinical safety standards — for software used in NHS care
• ▹HL7 FHIR R4 — for secure, standards-based EHR/EMR integration

Technical controls

Our default engineering posture for healthcare workloads includes:

• ▹Encryption of data in transit and at rest
• ▹Least-privilege access control with strong authentication
• ▹Comprehensive audit logging of access to sensitive data
• ▹Network isolation and hardened, regularly patched infrastructure
• ▹Documented risk assessments, incident response, and disaster recovery
• ▹Careful governance of any data flowing to or from AI models, including retention and training controls

Data ownership

You retain full ownership of your source code, data, and intellectual property. There is no vendor lock-in: you can host, extend, audit, or migrate everything we build with any team you choose.

Reporting a concern

If you believe you've found a security vulnerability in something we've built or operate, please contact us at diyanshu@speedailabs.com so we can investigate and respond promptly. We appreciate responsible disclosure.