Security is foundational
Healthcare data demands the highest standards of security. We build security into every layer of our platform, from infrastructure to application code.
Security Practices
Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. API keys are hashed and never stored in plain text.
Infrastructure
Hosted on SOC 2 Type II certified infrastructure with automatic failover, DDoS protection, and isolated network segments.
Access Control
Role-based access control, MFA for all employees, and audit logging for all administrative actions.
Code Security
Automated security scanning in CI/CD, dependency vulnerability monitoring, and regular third-party penetration testing.
Incident Response
24/7 monitoring with automated alerting. Documented incident response procedures with defined SLAs.
Compliance
SOC 2 Type II certified. HIPAA compliant with BAA available for enterprise customers.
Compliance & Certifications
SOC 2 Type II
CertifiedIndependently audited security controls
HIPAA
CompliantHealthcare data privacy compliance
HITRUST CSF
In ProgressHealthcare security framework
Data Handling
Reference Data Only: MedRef provides access to public healthcare reference data (codes, descriptions, fee schedules). We do not process or store Protected Health Information (PHI) or patient data.
API Logging: We log API requests for debugging and analytics purposes. Logs are retained for 90 days and do not include request/response bodies.
Data Residency: All data is processed and stored in the United States. Enterprise customers can request dedicated infrastructure.
Security Inquiry?
For security questionnaires, penetration test reports, or compliance documentation, contact our security team.
Responsible Disclosure
If you discover a security vulnerability, please report it to security@medref.io. We take all reports seriously and will respond within 24 hours. We do not pursue legal action against researchers who follow responsible disclosure practices.