Legal, Risque & Compliance

Informations sur nos normes de conformité, certifications, contrôles et pratiques de protection des données

Certification Overview

Elderwise is committed to achieving and maintaining compliance with key industry certifications. Our strategic roadmap outlines our journey toward full certification, with timelines tailored to the complexity and requirements of each standard.

Certification Strategy & Timeline

Compliance Roadmap

Elderwise follows a structured approach to meeting healthcare compliance standards. Target completion dates are subject to change.

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

While formal certifications are in progress, Elderwise has already implemented key security and privacy controls aligned with healthcare standards. Our approach follows industry-standard continuous compliance methodology, emphasizing automated evidence collection, regular assessments, and security by design.

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.

Continuous Compliance Monitoring

Following compliance best practices, Elderwise employs continuous monitoring tools to automatically detect and remediate compliance drift, ensuring our systems maintain compliance between formal assessment periods.

Santé Standards & Elderwise Compliance

Last Mis à jour: 2026-04-13

HIPAA

Objectif: Opérationnel

Santé Insurance Portability and Accountability Act (HIPAA)

U.S. santé privacy and security law governing PHI.

Santé Relevance:

U.S. santé privacy and security requirements governing PHI handling by covered entities and business associates.

Exigences clés:

Accords de partenariat commercial (BAA)
Role-based access and MFA (FR)
Audit logging and surveillance
Minimum necessary access (FR)
Encryption in transit and at repos
Procédures de notification des violations
Periodic risque évaluations and workforce training

Comment Elderwise se conforme:

BAA en place avec les sous-traitants, RBAC/MFA/SSO appliqués, journaux d'audit centralisés, privilèges minimaux par défaut, chiffrement AES-256/TLS 1.3, procédures de réponse aux incidents et formations HIPAA récurrentes.

GDPR

Objectif: Opérationnel

Règlement général sur la protection des données de l'UE (RGPD)

Réglementation européenne de protection des données couvrant le traitement licite et les droits des personnes.

Santé Relevance:

Cadre de l'UE/EEE pour la protection des données, le traitement licite et les droits des personnes concernées.

Exigences clés:

Lawful basis and consent management (FR)
Droits des personnes concernées (accès, effacement, portabilité)
Accords de traitement des données
Protection des données dès la conception et par défaut
Records of processing activities (FR)
International transfer safeguards (FR)

Comment Elderwise se conforme:

Consent capture and audit trails, DPA addenda with vendors, privacy by design reviews, DSR workflows, and transfer impact évaluations where applicable.

PDPA

Objectif: Opérationnel

Loi sur la protection des données personnelles (PDPA, Singapour)

Loi singapourienne de protection des données mettant l'accent sur le consentement et la limitation des finalités.

Santé Relevance:

Obligations de protection des données de Singapour pour le consentement, la limitation des finalités, la notification et l'accès/correction.

Exigences clés:

Consentement et notification
Purpose limitation (FR)
Access and correction rights (FR)
Protection and retention limits (FR)
Notification de violation de données

Comment Elderwise se conforme:

Déclarations de consentement localisées, calendriers de conservation, canaux d'accès/correction et procédures de notification de violation alignées sur les directives du PDPC.

ISO27001

Objectif: Q2 2026 (FR)

ISO/IEC 27001 Système de management de la sécurité de l'information

International ISMS standard for managing information security risques.

Santé Relevance:

Norme internationale pour l'établissement, la mise en œuvre, la maintenance et l'amélioration continue d'un SMSI.

Exigences clés:

Risque management program
Gouvernance et documentation du SMSI
Contrôles de sécurité selon l'Annexe A
Continuous improvement cycle (FR)

Comment Elderwise se conforme:

Formal ISMS scope definition, risque register, policies and control mapping, internal audits, and readiness for certification.

SOC2

Objectif: Q2 2026

SOC 2 Type II (Sécurité, disponibilité, confidentialité)

Attestation de l'efficacité des contrôles de sécurité sur une période (Type II).

Santé Relevance:

Attestation de l'efficacité des contrôles sur une période d'examen selon les critères de services de confiance de l'AICPA.

Exigences clés:

Documented policies and procedures (FR)
Security surveillance and alerting
Change and incident management (FR)
Vendor risque management

Comment Elderwise se conforme:

Control mapping to TSC, evidence collection automation, continuous surveillance, quarterly control testing, and external audit readiness.

HITRUST

Objectif: 2026

Norme HITRUST CSF

Santé-centric certifiable security framework harmonizing multiple standards.

Santé Relevance:

Santé-focused certifiable framework harmonizing HIPAA, ISO, NIST, and other requirements.

Exigences clés:

Risque-based control selection
Policy/procedure implementation (FR)
Validation and scoring (FR)
External évaluation

Comment Elderwise se conforme:

Scope definition for PHI systems, control inheritance where applicable, and staged readiness toward validated évaluation.

HITECH

Objectif: T1 2026

Loi HITECH (Notification de violation)

Améliorations américaines de notification de violation et d'application de la loi HIPAA.

Santé Relevance:

Améliorations américaines de notification de violation et d'application de la loi HIPAA.

Exigences clés:

Breach risque évaluation
Notifications en temps opportun
Seuils de déclaration des médias et du HHS

Comment Elderwise se conforme:

Procédures de réponse aux incidents, préservation des preuves, arbres de décision pour la matérialité et les délais de signalement.

FHIR

Objectif: Opérationnel

HL7 FHIR (Interopérabilité)

Modern interoperability standard for structured clinique data exchange.

Santé Relevance:

Modern santé interoperability standard for structured clinique data exchange.

Exigences clés:

Ressources et profils FHIR
RESTful APIs and conformance (FR)
Sécurité et autorisation (SMART sur FHIR)

Comment Elderwise se conforme:

Modélisation de données FHIR-first pour les entités principales, profils versionnés, et OAuth2/OpenID Connect pour un accès sécurisé.

HL7

Objectif: Opérationnel

Messagerie HL7 v2/v3

Santé messaging standards used by EHRs and labs.

Santé Relevance:

Legacy and current santé messaging standards widely used by EHRs and labs.

Exigences clés:

Formats et segments des messages
Ack/error handling (FR)
Transports et sécurité

Comment Elderwise se conforme:

Adaptateurs pour l'intégration HL7 v2.x si nécessaire, normalisation vers les schémas internes et transport sécurisé.

ISO42001

Objectif: 2026

ISO/IEC 42001 Système de management de l'IA

Norme de système de gestion de l'IA pour une gouvernance responsable de l'IA.

Santé Relevance:

Cadre pour la gouvernance responsable des systèmes d'IA tout au long de leur cycle de vie.

Exigences clés:

AI risque management and controls
Gouvernance et transparence des données
Surveillance and continuous improvement

Comment Elderwise se conforme:

Map existing controls to AI risques, define KPIs and documentation for transparency, and institute model governance workflows.

Data Protection & Compliance

Elderwise maintains data protection controls designed for healthcare regulatory compliance, with an ongoing certification program. Target dates are subject to change.

Legal Documents & Compliance Materials

Data Protection & Security Contacts

Data Protection Officer:dpo@elderwise.ai

EU Representative (Art. 27 GDPR):eu-rep@elderwise.ai

APAC Representative:apac-rep@elderwise.ai

Security Team:security@elderwise.ai

Vulnerability Reporting:security-alerts@elderwise.ai

Certification Roadmap

Elderwise is pursuing industry certifications on a phased timeline. Target dates are subject to change.

FHIR & HL7 interoperability: validation in progress
GDPR compliance: assessment underway
ISO 27001: audit in progress (target 2026)
ISO 42001 (AI Management System): planned
HIPAA & HITECH: designed for compliance — formal certification in progress (target Q2 2026)
SOC 2 Type II & HITRUST CSF: planned

Healthcare-Specific Security Features

for all sensitive health information
for healthcare provider access
aligned with clinical workflows
for all actions on protected health information
Secure API design for healthcare system integrations
Context-aware access controls for different care settings
Session timeout controls for clinical environments
Secure offline caching for emergency care scenarios

Healthcare Infrastructure Security

Hosting in data centers with industry-standard security controls
Region-specific data residency options for regulatory compliance
Regular vulnerability scanning and penetration testing
Disaster recovery with high-availability architecture
Infrastructure as Code (IaC) for secure, consistent deployments
Network segmentation for data isolation
Infrastructure monitoring with automated alerting
Continuous security control validation using automated tools

Continuous Compliance Program

Automated compliance monitoring tools
Regular internal audits specific to healthcare requirements
Vendor security assessment program for all third parties
Compliance training for all staff, with healthcare-specific modules
Quarterly security steering committee with clinical stakeholders
Real-time compliance monitoring dashboard for leadership visibility
Automated evidence collection to streamline certification maintenance

Healthcare Data Governance Framework

Data Collection in Healthcare Context

Explicit consent mechanisms for patient data with healthcare-specific language
Transparent data collection purposes aligned with clinical needs
Minimized data collection following principles of medical necessity
Special handling procedures for sensitive medical categories
Patient-centric approach to data ownership and control

Healthcare Data Retention

Retention policies aligned with medical record requirements by jurisdiction
Secure, compliant data archiving for long-term medical records
Automated data deletion when retention periods expire
Special provisions for pediatric and geriatric record retention
Data lifecycle management specific to clinical documentation standards

Clinical Data Processing

Processing limited to intended healthcare purposes
Secure analytics for population health insights
De-identified data use for research and development
Quality checks on AI-generated summaries before they reach clinicians
Secure federated learning techniques for model improvements

Patient Data Rights

Patient access to personal health information
Correction mechanisms for inaccurate health data
Data portability between healthcare providers
Special handling for vulnerable populations and proxy access
Transparent record of all third-party data sharing

Elderwise Healthcare Compliance Commitment:

Our compliance strategy follows industry-standard "security by design" principles, embedding healthcare compliance requirements into our development process from inception to deployment. We recognize that healthcare data security directly impacts patient outcomes and provider efficiency, so our approach integrates technical safeguards with clinical workflow considerations to create a secure environment that enhances rather than impedes care delivery. Our compliance program emphasizes both regulatory adherence and the ethical responsibility we have to protect sensitive health information.

Certification Overview

Certification Strategy & Timeline

Compliance Roadmap

Elderwise follows a structured approach to meeting healthcare compliance standards. Target completion dates are subject to change.

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.