Communications Security
Transport encryption
The SofIA platform requires mandatory use of secure protocols for all communications:- HTTPS (TLS 1.3): All
baseUrlproperties must use thehttps://protocol - WebSocket Secure (WSS): Real-time connections via
wssUrlrequirewss://protocol - Mixed content prevention: The system automatically blocks insecure connections (
http://orws://) in production environments
Authentication and authorization
- API Keys: Authentication system based on API keys with periodic rotation
- Access control: User and session-level permission validation
- Access traceability: Complete logging of all operations performed
Clinical Data Privacy
Data minimization
The platform implements data minimization principles to reduce exposure of sensitive information:- Patient data: The
patientDataproperty should contain only information strictly necessary for the clinical context - Anonymization: Removal of non-essential personal identifiers for processing
- Limited retention: Data is maintained only for the time necessary to complete operations
Personal information protection
- Encryption at rest: All clinical information is stored using robust encryption algorithms
- Data segregation: Physical and logical separation between different clinical contexts
- Granular access controls: Specific permissions based on roles and responsibilities
Regulatory Compliance
CE Mark Class I
SofIA has CE Marking as a Class I medical device, ensuring compliance with essential safety and performance requirements established in Regulation (EU) 2017/745 on medical devices.ENS High Level
The platform complies with the National Security Scheme (ENS) at high level, in accordance with Royal Decree 311/2022, ensuring adequate protection of information and services of Spanish Public Administrations.GDPR (General Data Protection Regulation)
- Explicit consent: Mechanisms to obtain and manage patient consent
- Right to be forgotten: Capability for complete data deletion upon request from the data subject
- Data portability: Data export in standard and interoperable formats
- Data residency: Options to maintain data within the European Union
HIPAA (Health Insurance Portability and Accountability Act)
- BAA (Business Associate Agreement): Agreements available for covered entities in the United States
- Administrative controls: Policies and procedures for PHI management
- Technical safeguards: Security measures for data access and transmission
Audit and Monitoring
Complete traceability
The system comprehensively logs all operations to facilitate audits and compliance:- Session identifiers: Recording of
userIdandpatientIdfor each operation - Timestamps: Precise timestamp of all transactions
- Schema versioning: Version control of
toolsArgsused in each report - Report persistence: Complete traceability from generation to storage
Quality monitoring
- Schema validation: Automatic verification of
toolsArgsthrough linting in the deployment process - Performance metrics: Continuous monitoring of WebSocket latencies and error rates
- Accuracy auditing: Optional accuracy evaluation and hallucination detection processes available upon request
Quality controls
- Medical review: Integration with validation workflows by healthcare professionals
- Automatic alerts: Notifications upon anomalies or irregular behavior patterns
- Compliance reports: Automated generation of reports for regulatory audits