Skip to content
plusmedical logo for light backgrounds
RO

Security & GDPR

Built for medical data, from the first line of code.

No vague promises: below is exactly what the platform does with your clinic’s and your patients’ data.

Encryption in transit and at rest 01 · encryption
TLS everywhere, encrypted storage — and sensitive medical data is additionally encrypted field by field with AES-256, using separate keys per clinic managed in AWS KMS.
Pseudonymized national ID 02 · id
The national ID (CNP) is never stored in clear text. The patient’s identity is linked through a derived, irreversible identifier.
Permanent audit log 03 · audit
Who opened which chart, when, from where and why — including emergency (“break-the-glass”) access, which requires justification and is flagged distinctly. The log cannot be modified or deleted, by anyone.
Strict isolation between clinics 04 · isolation
Each clinic sees only its own data — enforced at the database level itself (Row-Level Security), not just in the application, and verified with automated tests on every release.
EU-only data 05 · eu
All infrastructure runs in AWS eu-central-1 (Frankfurt). No copy, no backup outside the European Union.
Daily encrypted backups 06 · backup
Automatic, encrypted backups with controlled retention — restores are tested, not assumed.
Patient rights, implemented 07 · rights
Access, portability, restriction and objection — requests handled in a dedicated registry (art. 15–21). Anonymization instead of deletion where the law requires keeping medical records for 10 years.
DPA signed digitally at onboarding 08 · dpa
The data processing agreement (controller – processor) is signed digitally when the organization is created and is available in the app at any time.
Incidents reported within 72h 09 · incidents
An internal incident registry and a procedure for notifying the Romanian DPA (ANSPDCP) within 72 hours, per art. 33 GDPR.
Device and session control 10 · access
Two-factor authentication (TOTP), connected-device management, automatic sign-out on inactivity and, optionally, restricting access to your clinic’s IP addresses.

For your data protection officer

The records of processing, the sub-processor list (all in the EU), the versioned privacy policy and the DPA are available in the app — and on request, before onboarding, at contact@plusmedical.ro.

Security or compliance questions?

Write to us — we answer with concrete technical details, not brochures.

contact@plusmedical.ro