Security & Trust

TranslateMD is built for healthcare — PHI-safe by design, with enterprise-grade encryption, infrastructure, and compliance. Here's exactly how we handle your data.

Last updated: May 22, 2026

TLS 1.3 in transit

Documents never stored

Cloudflare edge

No AI training

Data Handling

Your documents are processed in memory and never written to permanent storage. Only the structured output (code mappings, confidence scores) is retained for your history.

Documents Never Stored

Your documents are processed in memory and returned to you — never written to our database. Document content does not persist after a translation completes.

Metadata vs. Content

Translation metadata (codes, mappings, confidence scores) is stored for your history. Document content is not. Your clinical text never touches our database.

Encryption Everywhere

All data is encrypted in transit using TLS 1.3. Stored translation metadata is encrypted at rest using AES-256.

No Content Logging

We never include document content in application logs. PHI safety is enforced at the code level — not just as a policy.

Infrastructure

Built on industry-leading cloud infrastructure with automatic failover, global distribution, and strict data isolation between tenants.

Cloudflare Global Edge

Hosted on Cloudflare's global edge network — low-latency processing with DDoS protection and automatic failover built in.

Neon Serverless PostgreSQL

Translation metadata is stored in Neon serverless PostgreSQL with automated backups, point-in-time recovery, and SOC 2 compliant hosting.

Row-Level Tenant Isolation

Your data is isolated at the database level using row-level security. No other organization can query or access your translation history.

Compliance

Current status of compliance certifications and frameworks. We are transparent about what is live today and what is on our roadmap.

HIPAA

Business Associate Agreements (BAAs) are available for Enterprise customers. Our architecture is designed for PHI-safe processing — documents processed in memory, no content logging.

Active

GDPR

EU data processing compliant. Data Processing Agreements (DPAs) available. EU users can request data access, rectification, or deletion at any time.

Active

SOC 2 Type II

SOC 2 Type II audit is on our roadmap. Timeline TBD. Contact us if this is a blocker for your procurement process.

Planned

No AI Training on Your Data

We never use your documents to train AI models — not TranslateMD's models, and not Anthropic's. Our commercial API agreement with Anthropic explicitly prohibits this.

Active

AI Transparency

We believe you should know exactly how AI is used in your translations — what it does, what it doesn't do, and how accurate it is.

94.5% Verified Accuracy

Translation accuracy is measured by automated evaluation across a comprehensive test suite spanning all supported corridors. Results are reproducible and re-run on every release.

Verified Knowledge Base

Code mappings come from a verified, hand-curated knowledge base built from authoritative sources — not generated by AI. Hallucinations are structurally prevented.

AI-Augmented Fallback Labeled

When AI fills a gap in the knowledge base, it is clearly labeled with a confidence badge. You always know whether a mapping is deterministic or AI-assisted.

Published Evaluation Methodology

Our evaluation framework, test cases, and scoring rubric are publicly documented. See exactly how we verify our 94.5% accuracy claim.

Per-Corridor Accuracy Data

Accuracy breakdowns for each supported country pair — real eval results, not marketing claims.

Enterprise Security Features

Additional security controls available on Enterprise plans for organizations with stricter requirements.

Self-Hosted Deployment

Deploy TranslateMD on your own infrastructure — your servers, your network, your keys. No data leaves your environment.

Per-Tenant Encryption Keys

Bring your own encryption keys or use per-tenant keys managed by TranslateMD. Complete cryptographic isolation between organizations.

SSO / SAML Integration

Single sign-on via SAML 2.0 or OIDC. Integrate with Okta, Azure AD, Google Workspace, and other identity providers.

Audit Logging

Immutable audit log of all actions — who translated what, when, from which IP, with what result. Exportable for compliance reporting.

Custom Data Retention

Configure exactly how long translation metadata is retained. Set automatic deletion schedules aligned with your organization's data governance policies.

EU Data Residency

All data is processed and stored within the European Union. TranslateMD is built for EU healthcare compliance — every provider is EU-hosted or GDPR-covered.

Data Stored in EU

Database hosted in Frankfurt, Germany (Neon eu-central-1). R2 document storage in EU jurisdiction. Cloudflare edge processing restricted to EU data centers.

EU Provider Stack

Plausible Analytics (Estonia/Germany), Neon Postgres (Frankfurt), Mailgun EU, Stripe Payments Europe (Ireland). Each provider holds a GDPR-compliant Data Processing Agreement.

Offline Mode — Zero External APIs

Our default translation approach uses verified code mappings from our proprietary knowledge base. No data leaves EU infrastructure. Available for customers with strict data sovereignty requirements.

Data Processing Agreements

DPAs in place or in progress with all data processors: Cloudflare, Neon, Stripe, Mailgun. Anthropic DPA required before using AI-augmented strategies with EU patient data.

Security Contact

Found a vulnerability? Have a compliance question? Evaluating TranslateMD for your healthcare organization?

Security questions

security@translatemd.io

Enterprise inquiry