MedBrief Minimum Data Protection Standards

MedBrief has established a 5-factor test that has to be passed to our satisfaction for a processing environment, including a third party processing environment, such as a web-hosting company or cloud computing provider to be identified as a MedBrief Approved Processing Environment, meaning a data hosting or data processing systems environment listed at https://medbrief.com/regions/ that has been identified by MedBrief as offering adequate technical and other safeguards for the processing of Personal Data including Sensitive Data. 

The 5 main factors that we consider, in addition to other specific factors that we may reasonably determine to be relevant, are the following:

1. Data Residency and Sovereignty

   The most fundamental feature of our assessment is consideration of the region where servers are located for legal jurisdictional purposes, data residency and sovereignty purposes and to ensure efficient compliance with laws, regulations and contractual obligations.

2. Comprehensive Security Certifications

   We look for comprehensive security compliance portfolios that are regularly audited and certified against the leading internationally and region-specific standards that must include the following minimum international security certifications: ISO/IEC 27001 (Information Security Management Systems); ISO/IEC 27017 (Code of Practice for Information Security Controls for Cloud Services).

3. Privacy Certifications

   We look for comprehensive security compliance portfolios that are regularly audited and certified against leading internationally and region-specific standards and that must include ISO/IEC 27018 (Code of Practice for Protection of PII in Public Clouds) to safeguard against any secondary use of personal data.

4. High Availability and Disaster Recovery

   ISO 9001 (Quality Management Systems); and ISO 22301 (Business Continuity Management Systems) are minimum requirements to be identified as a MedBrief Approved Processing Environment. We view the presence of two distinct regions within one territory as an systems architectural feature promoting robust disaster recovery. Data can be automatically replicated between the two locations, which are physically separate enough to be isolated from regional disasters. This enables MedBrief to deliver highly resilient applications, ensuring business continuity and minimal downtime for their clients.

5. Security-as-a-Service and Integrated Security Posture

   Processing environment providers may provide extensive "security-as-a-service" as a standard and integrated part of the processing environment platform, including security assessments, secure network infrastructures, infrastructure monitoring and protection, identity and access management, including secure APIs and end-points to third party systems in the same data centres using private IP addresses within the same data centre network protecting network traffic from reaching the Internet.