Legal, Risque & Compliance

Information about our compliance standards, certifications, controls, and data protection practices

Certification Overview

Elderwise is committed to achieving and maintaining compliance with key industry certifications. Our strategic roadmap outlines our journey toward full certification, with timelines tailored to the complexity and requirements of each standard.

Certification Strategy & Timeline

Compliance Roadmap

Elderwise follows a structured approach to compliance certifications with timelines tailored to each standard's complexity. We prioritize certifications based on market requirements and technical complexity, with our most comprehensive certifications (HITRUST) targeted for Q3 2026, while more focused certifications like ISO 27001 are targeted for completion by Q1 2026.

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

While formal certifications are in progress, Elderwise has already implemented key security and privacy controls aligned with healthcare standards. Our approach follows industry-standard continuous compliance methodology, emphasizing automated evidence collection, regular assessments, and security by design.

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.

Continuous Compliance Monitoring

Following compliance best practices, Elderwise employs continuous monitoring tools to automatically detect and remediate compliance drift, ensuring our systems maintain compliance between formal assessment periods.

Santé Standards & Elderwise Compliance

Last Mis à jour: 2025-09-27

HIPAA

Target: Operational

Santé Insurance Portability and Accountability Act (HIPAA)

U.S. santé privacy and security law governing PHI.

Santé Relevance:

U.S. santé privacy and security requirements governing PHI handling by covered entities and business associates.

Key Requirements:

Business Associate Agreements (BAAs)
Role-based access and MFA
Audit logging and surveillance
Minimum necessary access
Encryption in transit and at repos
Breach notification procedures
Periodic risque évaluations and workforce training

How Elderwise Complies:

BAAs in place with processors, enforced RBAC/MFA/SSO, centralized audit logs, least-privilege defaults, AES-256/TLS 1.3 encryption, incident response runbooks, and recurring HIPAA training.

GDPR

Target: Operational

EU General Data Protection Regulation (GDPR)

EU data protection regulation covering lawful processing and rights.

Santé Relevance:

EU/EEA framework for data protection, lawful processing, and data subject rights.

Key Requirements:

Lawful basis and consent management
Data subject rights (access, erasure, portability)
Data Processing Agreements
Data Protection by Design and Default
Records of processing activities
International transfer safeguards

How Elderwise Complies:

Consent capture and audit trails, DPA addenda with vendors, privacy by design reviews, DSR workflows, and transfer impact évaluations where applicable.

PDPA

Target: Operational

Personal Data Protection Act (PDPA, Singapore)

Singapore data protection law emphasizing consent and purpose limitation.

Santé Relevance:

Singapore data protection obligations for consent, purpose limitation, notification, and access/correction.

Key Requirements:

Consent and notification
Purpose limitation
Access and correction rights
Protection and retention limits
Data breach notification

How Elderwise Complies:

Localized consent statements, retention schedules, access/correction channels, and breach notification procedures aligned with PDPC guidance.

ISO27001

Target: Q2 2026

ISO/IEC 27001 Information Security Management System

International ISMS standard for managing information security risques.

Santé Relevance:

International standard for establishing, implementing, maintaining, and continuously improving an ISMS.

Key Requirements:

Risque management program
ISMS governance and documentation
Security controls per Annex A
Continuous improvement cycle

How Elderwise Complies:

Formal ISMS scope definition, risque register, policies and control mapping, internal audits, and readiness for certification.

SOC2

Target: Q2 2026

SOC 2 Type II (Security, Availability, Confidentiality)

Attestation of security controls effectiveness over a period (Type II).

Santé Relevance:

Attestation of control effectiveness over a review period per AICPA Trust Services Criteria.

Key Requirements:

Documented policies and procedures
Security surveillance and alerting
Change and incident management
Vendor risque management

How Elderwise Complies:

Control mapping to TSC, evidence collection automation, continuous surveillance, quarterly control testing, and external audit readiness.

HITRUST

Target: 2026

HITRUST CSF

Santé-centric certifiable security framework harmonizing multiple standards.

Santé Relevance:

Santé-focused certifiable framework harmonizing HIPAA, ISO, NIST, and other requirements.

Key Requirements:

Risque-based control selection
Policy/procedure implementation
Validation and scoring
External évaluation

How Elderwise Complies:

Scope definition for PHI systems, control inheritance where applicable, and staged readiness toward validated évaluation.

HSA

Target: Q2 2026

Singapore HSA Guidance (Médical Technologies)

Singapore HSA guidance for médical technologies and software.

Santé Relevance:

Regulatory guidance for médical device software and santé tech solutions in Singapore.

Key Requirements:

Risque classification and documentation
Quality management alignment
Clinique and cybersecurity considerations

How Elderwise Complies:

Alignment with HSA advisories, documentation of intended use and risque controls; leverage ISO 14971/IEC 62304 where applicable.

HITECH

Target: Q1 2026

HITECH Act (Breach Notification)

U.S. breach notification and enforcement enhancements to HIPAA.

Santé Relevance:

U.S. breach notification and enforcement enhancements to HIPAA.

Key Requirements:

Breach risque évaluation
Timely notifications
Media and HHS reporting thresholds

How Elderwise Complies:

Incident response runbooks, evidence preservation, decision trees for materiality and reporting timelines.

FHIR

Target: Operational

HL7 FHIR (Interoperability)

Modern interoperability standard for structured clinique data exchange.

Santé Relevance:

Modern santé interoperability standard for structured clinique data exchange.

Key Requirements:

FHIR resources and profiles
RESTful APIs and conformance
Security and authorization (SMART on FHIR)

How Elderwise Complies:

FHIR-first data modeling for core entities, versioned profiles, and OAuth2/OpenID Connect for secure access.

HL7

Target: Operational

HL7 v2/v3 Messaging

Santé messaging standards used by EHRs and labs.

Santé Relevance:

Legacy and current santé messaging standards widely used by EHRs and labs.

Key Requirements:

Message formats and segments
Ack/error handling
Transport and security

How Elderwise Complies:

Adapters for HL7 v2.x integration where required, normalization to internal schemas, and secure transport.

ISO13485

Target: 2026

ISO 13485 Médical Devices QMS

Quality management system standard for médical devices.

Santé Relevance:

Quality management standard for organizations involved in médical device lifecycle.

Key Requirements:

Documented QMS
Design and development controls
Risque management and traceability
Post-market surveillance

How Elderwise Complies:

Progressive QMS adoption for applicable software modules; align with regulatory pathways if device classification applies.

ISO42001

Target: 2026

ISO/IEC 42001 AI Management System

AI management system standard for responsible AI governance.

Santé Relevance:

Framework for governing responsible AI systems across lifecycle.

Key Requirements:

AI risque management and controls
Data governance and transparency
Surveillance and continuous improvement

How Elderwise Complies:

Map existing controls to AI risques, define KPIs and documentation for transparency, and institute model governance workflows.

Data Protection & Compliance

Elderwise is committed to maintaining the highest standards of data protection and regulatory compliance in healthcare technology, with a progressive certification roadmap for completion between Q3 2025 and Q4 2026.

Legal Documents & Compliance Materials

Data Protection & Security Contacts

Data Protection Officer:dpo@elderwise.ai

EU Representative (Art. 27 GDPR):eu-rep@elderwise.ai

APAC Representative:apac-rep@elderwise.ai

Security Team:security@elderwise.ai

Vulnerability Reporting:security-alerts@elderwise.ai

Certification Roadmap

Elderwise's phased certification timeline:

Q3 2025: FHIR & HL7 interoperability certifications
Q4 2025: GDPR compliance validation
Q2 2026: ISO 27001 certification (audit in progress)
February 2026: ISO 42001 (AI Management System) certification
Q2 2026: HIPAA, HITECH & HSA certifications
Q3 2026: SOC 2 Type II & HITRUST CSF certifications
Q4 2026: ISO 13485 certification & continuous compliance monitoring

Healthcare-Specific Security Features

for all sensitive health information
for healthcare provider access
aligned with clinical workflows
for all actions on protected health information
Secure API design for healthcare system integrations
Context-aware access controls for different care settings
Session timeout controls for clinical environments
Secure offline caching for emergency care scenarios

Healthcare Infrastructure Security

Hosting in ISO 27001 certified data centers
Region-specific data residency options for regulatory compliance
Regular vulnerability scanning and penetration testing
Disaster recovery with 99.9% uptime commitment
Infrastructure as Code (IaC) for secure, consistent deployments
Network segmentation for clinical vs. administrative data
24/7 infrastructure monitoring with healthcare-specific alerts
Continuous security control validation using automated tools

Continuous Compliance Program

Automated compliance monitoring tools
Regular internal audits specific to healthcare requirements
Vendor security assessment program for all third parties
Compliance training for all staff, with healthcare-specific modules
Quarterly security steering committee with clinical stakeholders
Real-time compliance monitoring dashboard for leadership visibility
Automated evidence collection to streamline certification maintenance

Healthcare Data Governance Framework

Data Collection in Healthcare Context

Explicit consent mechanisms for patient data with healthcare-specific language
Transparent data collection purposes aligned with clinical needs
Minimized data collection following principles of medical necessity
Special handling procedures for sensitive medical categories
Patient-centric approach to data ownership and control

Healthcare Data Retention

Retention policies aligned with medical record requirements by jurisdiction
Secure, compliant data archiving for long-term medical records
Automated data deletion when retention periods expire
Special provisions for pediatric and geriatric record retention
Data lifecycle management specific to clinical documentation standards

Clinical Data Processing

Processing limited to intended healthcare purposes
Secure analytics for population health insights
De-identified data use for research and development
Validation processes for algorithm-assisted clinical reference tools
Secure federated learning techniques for model improvements

Patient Data Rights

Patient access to personal health information
Correction mechanisms for inaccurate health data
Data portability between healthcare providers
Special handling for vulnerable populations and proxy access
Transparent record of all third-party data sharing

Elderwise Healthcare Compliance Commitment:

Our compliance strategy follows Vanta's recommended "security by design" principles, embedding healthcare compliance requirements into our development process from inception to deployment. We recognize that healthcare data security directly impacts patient outcomes and provider efficiency, so our approach integrates technical safeguards with clinical workflow considerations to create a secure environment that enhances rather than impedes care delivery. Our compliance program emphasizes both regulatory adherence and the ethical responsibility we have to protect sensitive health information.

Certification Overview

Certification Strategy & Timeline

Compliance Roadmap

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.