Data Handling

How MedTWIN protects and manages your research data.

Data Security

Encryption

All data is encrypted:

State	Method
At Rest	AES-256
In Transit	TLS 1.3
In Backup	AES-256

Key Management

Keys stored in Hardware Security Modules (HSM)
Automatic key rotation
Separate keys per tenant
No plaintext key storage

Data Isolation

Multi-Tenant Architecture

┌─────────────────────────────────────────┐
│              MedTWIN Platform            │
├─────────────────────────────────────────┤
│  ┌─────────┐  ┌─────────┐  ┌─────────┐  │
│  │ Org A   │  │ Org B   │  │ Org C   │  │
│  │ Data    │  │ Data    │  │ Data    │  │
│  └─────────┘  └─────────┘  └─────────┘  │
│      │            │            │        │
│      └────────────┴────────────┘        │
│            Logically Isolated           │
└─────────────────────────────────────────┘

Isolation Guarantees

Database: Separate schemas per organization
Storage: Separate containers/buckets
Network: VPC isolation
Compute: Isolated processing

Data Lifecycle

1. Upload

Your Data → Encrypted Upload → Validation → Storage

Encrypted before leaving your browser
Validated for format and integrity
Stored in isolated tenant storage

2. Processing

Processed in isolated compute environment
No data mixing between tenants
Results stored with same isolation

3. Retention

Default retention periods:

Data Type	Default	Configurable
Research data	7 years	Yes
Analysis results	7 years	Yes
Audit logs	6 years	No (minimum)
Backups	90 days	Yes

4. Deletion

On deletion request:

Soft delete: Marked for deletion
Hard delete: Cryptographically erased (30 days)
Backup purge: Removed from all backups (90 days)

Access Controls

Role-Based Access Control (RBAC)

Role	Capabilities
Owner	Full control, billing
Admin	Manage team, all data
Editor	Create, edit, run analyses
Viewer	Read-only access

Project-Level Permissions

Assign different roles per project:

User: dr.smith@hospital.org
├── Project A: Editor
├── Project B: Viewer
└── Project C: Admin

Multi-Factor Authentication

Required for:

All production access
Admin operations
Billing changes
API key creation

Audit Trail

What's Logged

Every action is logged:

{
  "timestamp": "2026-01-29T12:00:00Z",
  "user": "user@example.com",
  "action": "data.view",
  "resource": "project/abc123/patient/P001",
  "ip_address": "203.0.113.50",
  "user_agent": "Mozilla/5.0...",
  "result": "success"
}

Log Access

View logs in Settings → Audit Log
Export for compliance review
API access available

Data Export

Your Data is Yours

Export all your data anytime:

Data: CSV, Excel, JSON
Analyses: Results, code, audit trail
Papers: Word, LaTeX, PDF
Everything: Full project export

Portability

We support data portability:

Standard formats (CSV, JSON)
API access for bulk export
No lock-in

Subprocessors

We use these subprocessors for data handling:

Provider	Purpose	Location
AWS	Infrastructure	US, AU
PostgreSQL	Database	Managed
Redis	Caching	In-memory only

All subprocessors have:

Signed DPAs
SOC 2 certification
HIPAA compliance (where applicable)

Incident Response

Response Timeline

Detection: Automated monitoring
Triage: Within 1 hour
Investigation: Within 24 hours
Notification: Within 24 hours (if breach)
Remediation: Based on severity

Reporting

Report security concerns:

Email: security@medtwin.ai
Subject: "URGENT: Security Report"

Best Practices

Protect Your Data

Enable MFA for all team members
Use strong, unique passwords
Review access logs regularly
Remove inactive users promptly
Export data backups periodically

Questions?

Contact our security team: