Fractify Security & Compliance
Fractify's clinical AI radiology platform is built for hospitals that operate under strict regulatory and data governance requirements. Every feature — from scan upload to report export — is designed around patient data security, clinician accountability, and institutional compliance.
What Is Fractify's Security Architecture?
Fractify's security architecture is a layered, healthcare-grade system designed for hospital and diagnostic centre deployments. It combines 6-tier Role-Based Access Control (RBAC), TOTP Two-Factor Authentication, immutable audit trails, multi-tenant data isolation, GDPR Right-to-Be-Forgotten compliance, and HIPAA-ready infrastructure. All data is encrypted at rest and in transit using industry-standard protocols. For on-premise deployments, patient data never leaves the hospital's own servers — Fractify's AI models run entirely within the institution's infrastructure.
Architecture meets HIPAA technical safeguard requirements for healthcare data handling.
Right-to-Be-Forgotten implemented. Patient records permanently deleted on request.
Each hospital account operates in a completely isolated data environment — no cross-tenant data access.
6-Tier Role-Based Access Control (RBAC)
Every user action in Fractify is governed by a strict permission hierarchy. No user can access data or perform actions outside their assigned role.
| Role | Permissions |
|---|---|
| Viewer | Read-only access to assigned reports. Cannot submit scans. |
| Doctor | Submit scans, view AI reports, add doctor notes, request second opinions. |
| Radiologist | Review and annotate findings, confirm or override AI assessments, access full patient history. |
| Hospital | Manage department users, view usage analytics, configure department-level settings. |
| Supervisor | Oversee multiple departments, manage team access, review audit trail exports. |
| Admin | Full account control: user management, billing, data exports, security settings, session management. |
Security Features
TOTP Two-Factor Authentication
Time-based One-Time Password (TOTP) 2FA is available for all user tiers. Backup recovery codes prevent lockout. Hospital Admins can enforce 2FA organisation-wide.
Immutable Audit Trail
Every scan submission, report view, annotation, login event, and role change is logged in a tamper-proof audit trail. Exportable as CSV for compliance reporting.
Active Session Management
Admins can view and remotely revoke any active session in real-time. Sessions expire automatically based on configurable idle timeouts.
Data Encryption
All patient data encrypted at rest (AES-256) and in transit (TLS 1.3). DICOM files stored in encrypted volumes. API communications use HTTPS-only.
GDPR Right-to-Be-Forgotten
On request, all patient data associated with an individual can be permanently and irreversibly deleted from Fractify's databases, satisfying Article 17 GDPR requirements.
On-Premise Deployment Option
For maximum data sovereignty, Fractify is available as a Docker container deployed within the hospital's own servers. Zero patient data leaves the institution's network.
Data Residency by Deployment Model
Cloud SaaS
Patient data stored in encrypted, multi-tenant isolated cloud databases. No cross-hospital data access. Data residency options available for GCC and Southeast Asia deployments.
On-Premise (Docker)
All data remains within the hospital's own infrastructure. AI models run locally. Zero scan images or patient records transmitted externally. Recommended for institutions with strict data sovereignty requirements.
API Integration
HTTPS-only REST API with JWT authentication. Scan images submitted via secure DICOM or Base64 payload. Rate-limited and audit-logged per API key.
Compliance FAQ
Is Fractify HIPAA compliant?
Fractify is built on a HIPAA-ready architecture with 6-tier RBAC, TOTP 2FA, immutable audit trails with CSV export, multi-tenant data isolation, and active session management with remote revocation. All data is encrypted at rest and in transit. For on-premise deployments, patient data never leaves the hospital's own network.
Is Fractify GDPR compliant?
Yes. Fractify implements GDPR Right-to-Be-Forgotten: any patient data can be permanently deleted on request. Multi-tenant architecture ensures data from one hospital is never accessible to another. Fractify's marketing website does not collect or store any patient data.
Where is patient data stored?
For Cloud SaaS deployments, patient scan data is stored in encrypted, multi-tenant isolated databases. For on-premise deployments (Docker container), all data stays entirely within the hospital's own network and servers — Fractify never accesses it. The marketing website aiscan.fractify.net stores zero patient data.
Does Fractify have an audit trail for compliance reporting?
Yes. Fractify maintains an immutable audit trail of all actions: scan uploads, report views, annotations, user logins, and role changes. The audit trail is exportable as CSV for regulatory compliance reporting. It cannot be edited or deleted by any user tier.
Can Fractify be deployed on-premise?
Yes. Fractify is available as a Docker container for on-premise hospital deployment, starting from $15,000 one-time. In this model, all patient data remains within the hospital's own infrastructure. No scan images or patient records are transmitted to external servers.
Does Fractify support two-factor authentication?
Yes. Fractify implements TOTP (Time-based One-Time Password) 2FA with backup recovery codes. 2FA is available for all user tiers and can be enforced organisation-wide by Hospital or Admin tier users.
Ready to Deploy in Your Hospital?
Talk to our team about compliance requirements, on-premise deployment, or enterprise data agreements for your institution.
Contact Our Team