Legal, Risque & Compliance

Informations sur nos normes de conformité, certifications, contrôles et pratiques de protection des données

Certification Overview

Elderwise is committed to achieving and maintaining compliance with key industry certifications. Our strategic roadmap outlines our journey toward full certification, with timelines tailored to the complexity and requirements of each standard.

Certification Strategy & Timeline

Compliance Roadmap

Elderwise follows a structured approach to compliance certifications with timelines tailored to each standard's complexity. We prioritize certifications based on market requirements and technical complexity, with our most comprehensive certifications (HITRUST) targeted for Q3 2026, while more focused certifications like ISO 27001 are targeted for completion by Q1 2026.

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

While formal certifications are in progress, Elderwise has already implemented key security and privacy controls aligned with healthcare standards. Our approach follows industry-standard continuous compliance methodology, emphasizing automated evidence collection, regular assessments, and security by design.

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.

Continuous Compliance Monitoring

Following compliance best practices, Elderwise employs continuous monitoring tools to automatically detect and remediate compliance drift, ensuring our systems maintain compliance between formal assessment periods.

Santé Standards & Elderwise Compliance

Last Mis à jour: 2025-09-27

HIPAA

Objectif: Opérationnel

Santé Insurance Portability and Accountability Act (HIPAA)

U.S. santé privacy and security law governing PHI.

Santé Relevance:

U.S. santé privacy and security requirements governing PHI handling by covered entities and business associates.

Exigences clés:

Business Associate Agreements (BAAs)
Role-based access and MFA
Audit logging and surveillance
Minimum necessary access
Encryption in transit and at repos
Breach notification procedures
Periodic risque évaluations and workforce training

Comment Elderwise se conforme:

BAA en place avec les sous-traitants, RBAC/MFA/SSO appliqués, journaux d'audit centralisés, privilèges minimaux par défaut, chiffrement AES-256/TLS 1.3, procédures de réponse aux incidents et formations HIPAA récurrentes.

GDPR

Objectif: Opérationnel

Règlement général sur la protection des données de l'UE (RGPD)

Réglementation européenne de protection des données couvrant le traitement licite et les droits des personnes.

Santé Relevance:

Cadre de l'UE/EEE pour la protection des données, le traitement licite et les droits des personnes concernées.

Exigences clés:

Lawful basis and consent management
Data subject rights (access, erasure, portability)
Data Processing Agreements
Data Protection by Design and Default
Records of processing activities
International transfer safeguards

Comment Elderwise se conforme:

Consent capture and audit trails, DPA addenda with vendors, privacy by design reviews, DSR workflows, and transfer impact évaluations where applicable.

PDPA

Objectif: Opérationnel

Loi sur la protection des données personnelles (PDPA, Singapour)

Loi singapourienne de protection des données mettant l'accent sur le consentement et la limitation des finalités.

Santé Relevance:

Obligations de protection des données de Singapour pour le consentement, la limitation des finalités, la notification et l'accès/correction.

Exigences clés:

Consent and notification
Purpose limitation
Access and correction rights
Protection and retention limits
Data breach notification

Comment Elderwise se conforme:

Déclarations de consentement localisées, calendriers de conservation, canaux d'accès/correction et procédures de notification de violation alignées sur les directives du PDPC.

ISO27001

Objectif: Q2 2026

ISO/IEC 27001 Système de management de la sécurité de l'information

International ISMS standard for managing information security risques.

Santé Relevance:

Norme internationale pour l'établissement, la mise en œuvre, la maintenance et l'amélioration continue d'un SMSI.

Exigences clés:

Risque management program
ISMS governance and documentation
Security controls per Annex A
Continuous improvement cycle

Comment Elderwise se conforme:

Formal ISMS scope definition, risque register, policies and control mapping, internal audits, and readiness for certification.

SOC2

Objectif: Q2 2026

SOC 2 Type II (Sécurité, Disponibilité, Confidentialité)

Attestation de l'efficacité des contrôles de sécurité sur une période (Type II).

Santé Relevance:

Attestation de l'efficacité des contrôles sur une période d'examen selon les critères de services de confiance de l'AICPA.

Exigences clés:

Documented policies and procedures
Security surveillance and alerting
Change and incident management
Vendor risque management

Comment Elderwise se conforme:

Control mapping to TSC, evidence collection automation, continuous surveillance, quarterly control testing, and external audit readiness.

HITRUST

Objectif: 2026

HITRUST CSF

Santé-centric certifiable security framework harmonizing multiple standards.

Santé Relevance:

Santé-focused certifiable framework harmonizing HIPAA, ISO, NIST, and other requirements.

Exigences clés:

Risque-based control selection
Policy/procedure implementation
Validation and scoring
External évaluation

Comment Elderwise se conforme:

Scope definition for PHI systems, control inheritance where applicable, and staged readiness toward validated évaluation.

HSA

Objectif: Q2 2026

Singapore HSA Guidance (Médical Technologies)

Singapore HSA guidance for médical technologies and software.

Santé Relevance:

Regulatory guidance for médical device software and santé tech solutions in Singapore.

Exigences clés:

Risque classification and documentation
Quality management alignment
Clinique and cybersecurity considerations

Comment Elderwise se conforme:

Alignment with HSA advisories, documentation of intended use and risque controls; leverage ISO 14971/IEC 62304 where applicable.

HITECH

Objectif: Q1 2026

Loi HITECH (Notification de violation)

Améliorations américaines de notification de violation et d'application de la loi HIPAA.

Santé Relevance:

Améliorations américaines de notification de violation et d'application de la loi HIPAA.

Exigences clés:

Breach risque évaluation
Timely notifications
Media and HHS reporting thresholds

Comment Elderwise se conforme:

Procédures de réponse aux incidents, préservation des preuves, arbres de décision pour la matérialité et les délais de signalement.

FHIR

Objectif: Opérationnel

HL7 FHIR (Interopérabilité)

Modern interoperability standard for structured clinique data exchange.

Santé Relevance:

Modern santé interoperability standard for structured clinique data exchange.

Exigences clés:

FHIR resources and profiles
RESTful APIs and conformance
Security and authorization (SMART on FHIR)

Comment Elderwise se conforme:

Modélisation de données FHIR-first pour les entités principales, profils versionnés, et OAuth2/OpenID Connect pour un accès sécurisé.

HL7

Objectif: Opérationnel

Messagerie HL7 v2/v3

Santé messaging standards used by EHRs and labs.

Santé Relevance:

Legacy and current santé messaging standards widely used by EHRs and labs.

Exigences clés:

Message formats and segments
Ack/error handling
Transport and security

Comment Elderwise se conforme:

Adaptateurs pour l'intégration HL7 v2.x si nécessaire, normalisation vers les schémas internes et transport sécurisé.

ISO13485

Objectif: 2026

ISO 13485 Médical Devices QMS

Quality management system standard for médical devices.

Santé Relevance:

Quality management standard for organizations involved in médical device lifecycle.

Exigences clés:

Documented QMS
Design and development controls
Risque management and traceability
Post-market surveillance

Comment Elderwise se conforme:

Adoption progressive du SMQ pour les modules logiciels applicables ; alignement sur les voies réglementaires si la classification de dispositif s'applique.

ISO42001

Objectif: 2026

ISO/IEC 42001 Système de management de l'IA

Norme de système de gestion de l'IA pour une gouvernance responsable de l'IA.

Santé Relevance:

Cadre pour la gouvernance responsable des systèmes d'IA tout au long de leur cycle de vie.

Exigences clés:

AI risque management and controls
Data governance and transparency
Surveillance and continuous improvement

Comment Elderwise se conforme:

Map existing controls to AI risques, define KPIs and documentation for transparency, and institute model governance workflows.

Data Protection & Compliance

Elderwise is committed to maintaining the highest standards of data protection and regulatory compliance in healthcare technology, with a progressive certification roadmap for completion between Q3 2025 and Q4 2026.

Legal Documents & Compliance Materials

Data Protection & Security Contacts

Data Protection Officer:dpo@elderwise.ai

EU Representative (Art. 27 GDPR):eu-rep@elderwise.ai

APAC Representative:apac-rep@elderwise.ai

Security Team:security@elderwise.ai

Vulnerability Reporting:security-alerts@elderwise.ai

Certification Roadmap

Elderwise's phased certification timeline:

Q3 2025: FHIR & HL7 interoperability certifications
Q4 2025: GDPR compliance validation
Q2 2026: ISO 27001 certification (audit in progress)
February 2026: ISO 42001 (AI Management System) certification
Q2 2026: HIPAA, HITECH & HSA certifications
Q3 2026: SOC 2 Type II & HITRUST CSF certifications
Q4 2026: ISO 13485 certification & continuous compliance monitoring

Healthcare-Specific Security Features

for all sensitive health information
for healthcare provider access
aligned with clinical workflows
for all actions on protected health information
Secure API design for healthcare system integrations
Context-aware access controls for different care settings
Session timeout controls for clinical environments
Secure offline caching for emergency care scenarios

Healthcare Infrastructure Security

Hosting in ISO 27001 certified data centers
Region-specific data residency options for regulatory compliance
Regular vulnerability scanning and penetration testing
Disaster recovery with 99.9% uptime commitment
Infrastructure as Code (IaC) for secure, consistent deployments
Network segmentation for clinical vs. administrative data
24/7 infrastructure monitoring with healthcare-specific alerts
Continuous security control validation using automated tools

Continuous Compliance Program

Automated compliance monitoring tools
Regular internal audits specific to healthcare requirements
Vendor security assessment program for all third parties
Compliance training for all staff, with healthcare-specific modules
Quarterly security steering committee with clinical stakeholders
Real-time compliance monitoring dashboard for leadership visibility
Automated evidence collection to streamline certification maintenance

Healthcare Data Governance Framework

Data Collection in Healthcare Context

Explicit consent mechanisms for patient data with healthcare-specific language
Transparent data collection purposes aligned with clinical needs
Minimized data collection following principles of medical necessity
Special handling procedures for sensitive medical categories
Patient-centric approach to data ownership and control

Healthcare Data Retention

Retention policies aligned with medical record requirements by jurisdiction
Secure, compliant data archiving for long-term medical records
Automated data deletion when retention periods expire
Special provisions for pediatric and geriatric record retention
Data lifecycle management specific to clinical documentation standards

Clinical Data Processing

Processing limited to intended healthcare purposes
Secure analytics for population health insights
De-identified data use for research and development
Validation processes for algorithm-assisted clinical reference tools
Secure federated learning techniques for model improvements

Patient Data Rights

Patient access to personal health information
Correction mechanisms for inaccurate health data
Data portability between healthcare providers
Special handling for vulnerable populations and proxy access
Transparent record of all third-party data sharing

Elderwise Healthcare Compliance Commitment:

Our compliance strategy follows Vanta's recommended "security by design" principles, embedding healthcare compliance requirements into our development process from inception to deployment. We recognize that healthcare data security directly impacts patient outcomes and provider efficiency, so our approach integrates technical safeguards with clinical workflow considerations to create a secure environment that enhances rather than impedes care delivery. Our compliance program emphasizes both regulatory adherence and the ethical responsibility we have to protect sensitive health information.

Certification Overview

Certification Strategy & Timeline

Compliance Roadmap

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.