NeuralCare AI's security architecture, certifications, and responsible disclosure program for clinical AI infrastructure.
Last updated: January 1, 2025
NeuralCare AI maintains a comprehensive security program designed to protect clinical data, model infrastructure, and customer systems. Our compliance posture includes SOC 2 Type II, ISO 27001, HIPAA, GDPR, NHS Information Governance, and FDA 21 CFR Part 11 certifications.
All NeuralCare services run on enterprise cloud infrastructure with physical access controls, 24/7 monitoring, and redundant availability zones. GPU inference clusters are isolated from customer-facing APIs via network segmentation. Infrastructure as Code (IaC) ensures all configurations are version-controlled and auditable.
All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256. Encryption keys are managed via hardware security modules (HSMs) and rotated quarterly. API credentials are hashed using bcrypt with a cost factor of 12 and never stored in plaintext.
NeuralCare enforces role-based access control (RBAC) with least-privilege principles across all internal systems. Multi-factor authentication (MFA) is required for all employees and enforced for all customer admin accounts. Privileged access to production systems requires a separate privileged access workstation (PAW) and time-limited session tokens.
NeuralCare's federated learning protocol applies differential privacy noise (ε=8, δ=10⁻⁵) to all gradient updates before transmission. Secure aggregation using cryptographic secret sharing ensures that NeuralCare cannot observe individual institution gradients. All gradient transmissions are encrypted end-to-end using Curve25519 key exchange.
We operate a responsible disclosure program. If you discover a potential security vulnerability, please report it to security@neuralcareai.tech. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 72 hours. We do not pursue legal action against good-faith security researchers.
NeuralCare engages independent third-party penetration testing firms annually for full-scope infrastructure and API penetration tests, and quarterly for targeted model API tests. Findings are remediated according to severity SLAs: Critical — 24h, High — 7 days, Medium — 30 days.
Audit reports and certifications are available under NDA to enterprise customers upon request.