Security & Compliance

How We Protect Your Data

Last updated: April 2026

Our Security Commitment

MedGuide processes sensitive medical documents. We treat every byte of your data as if it were our own health record. Our architecture is built on a zero-retention principle: your documents are analyzed and immediately discarded. No copies, no caches, no exceptions.

Zero Data Retention

Your documents are processed in memory and never written to disk. Once analysis is complete, your data is gone.

End-to-End Encryption

All data in transit is encrypted with TLS 1.3. Data at rest in Supabase is encrypted with AES-256.

GDPR Compliant

We comply with the EU General Data Protection Regulation. You have full control over your personal data at all times.

1

Security Overview

MedGuide is a medical document intelligence platform that uses AI to analyze clinical documents. We understand that medical data is among the most sensitive categories of personal information, and we have designed every layer of our system with this in mind.

This page describes the technical and organizational measures we implement to protect your data. If you have questions not covered here, please contact us at security@medguide.app.

2

Zero Data Retention

Core Principle: Analyze and Forget

MedGuide never stores your uploaded medical documents. Files are processed in memory, analyzed by our AI engine, and immediately discarded. The structured report is saved — the original document is not.

When you upload a document, it is transmitted over an encrypted connection directly to our processing pipeline. The document is held in memory only for the duration of analysis (typically 30–90 seconds).

After analysis, the structured report (summaries, findings, timeline entries) is stored in your account. The original document — whether it's a PDF, image, or scanned file — is permanently deleted from our systems.

This means that even in the unlikely event of a data breach, your original medical documents cannot be compromised because they simply do not exist on our servers.

3

Encryption

All network traffic between your browser and MedGuide servers is encrypted using TLS 1.3, the latest transport layer security protocol. We enforce HTTPS on all endpoints with no fallback to unencrypted connections.

Data at rest — including your account information, structured reports, and metadata — is encrypted using AES-256 encryption provided by our database provider (Supabase / AWS).

Authentication tokens and session data are managed through secure, HttpOnly cookies with SameSite protections to prevent cross-site request forgery.

4

Infrastructure

MedGuide runs on Vercel's edge network for the application layer and Supabase (hosted on AWS EU — Frankfurt) for the database layer. Both providers maintain SOC 2 Type II compliance and undergo regular third-party security audits.

Our AI document analysis is powered by Google Cloud's Gemini API, which processes data under Google's enterprise data processing terms. Google does not use your data to train models, and processing occurs in EU data centers.

We use Upstash (Redis) for rate limiting and caching, Resend for transactional email, and Stripe for payment processing. Each subprocessor is selected for its security track record and compliance certifications.

5

Authentication & Access Control

MedGuide supports Google OAuth and magic link authentication. We do not store passwords. Authentication is delegated to trusted identity providers, reducing our attack surface and giving you the benefit of Google’s account security infrastructure (including 2FA).

For B2B workspace accounts, we provide role-based access control (RBAC) with distinct permissions for owners, admins, and members. All authentication events are logged for audit purposes.

6

GDPR Compliance

MedGuide complies with the EU General Data Protection Regulation (GDPR). We process personal data only for the purposes described in our Privacy Policy, with appropriate legal bases for each processing activity.

Your rights under GDPR include: the right to access your data, the right to rectification, the right to erasure ('right to be forgotten'), the right to data portability, and the right to object to processing. You can exercise these rights from your account settings or by contacting us.

For users in Turkey, we also comply with KVKK (Kişisel Verilerin Korunması Kanunu). A dedicated KVKK disclosure is available at /kvkk.

7

Subprocessors

We use the following third-party services to operate MedGuide. Each subprocessor has been evaluated for security and compliance:

ProviderPurposeData Location
VercelApplication hosting & CDNUS / EU
SupabaseDatabase, authentication, storageEU (Frankfurt)
Google Cloud (Gemini)AI document analysisEU
StripePayment processingUS / EU
ResendTransactional emailUS
8

Incident Response

We maintain an incident response plan that includes detection, containment, investigation, and notification procedures. In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

We use Sentry for real-time error monitoring and alerting, allowing us to detect and respond to anomalies quickly. Security-critical events trigger immediate alerts to our engineering team.

9

Security Contact

If you discover a vulnerability, have a security concern, or need our Data Processing Agreement (DPA), please contact our security team:

This page describes our current security practices as of April 2026. We continuously improve our security posture and will update this page accordingly.

Security & Compliance — MedGuide | MedGuide