Security & Compliance

Built for regulated life sciences environments.

NextConsensus processes approved claim text and public evidence sources. We do not ingest PHI, PII, or proprietary clinical trial data. Our architecture is designed for SOC 2 Type II, HIPAA alignment, and GDPR compliance from day one.

SOC 2 Type II in progress — targeting Q1 2026. No certifications achieved yet.

Certifications & Standards

We are building toward these standards. Current status is transparent below.

SOC 2

SOC 2 Type II

In progress — targeting completion Q1 2026. Controls mapped to Security, Availability, Confidentiality trust principles. Bridge letter available on request.

HIPAA

HIPAA Alignment

No PHI processed. Architecture supports BAA execution for customers requiring it. Audit logging, access controls, encryption at rest/in transit implemented.

GDPR

GDPR Compliance

Data minimization by design. No personal data processed. DPA template available. EU data residency via Cloudflare Workers regional routing.

ISO 27001

ISO 27001 Controls

Control framework mapped. Policy library, risk assessment, incident response, vendor management, business continuity documented. Formal certification not pursued yet.

Data Handling

What we ingest

  • Approved claim text (customer-provided)
  • Public evidence sources (PubMed, FDA labels, guidelines, ClinicalTrials.gov)
  • Use context: where claim appears, audience, review owner

What we never ingest

  • PHI / PII
  • Proprietary clinical trial data
  • Internal deliberative documents
  • Unpublished manufacturer data

Retention

  • Assessment artifacts: retained per customer agreement (default 7 years)
  • Source evidence snapshots: timestamped, immutable, reproducible
  • Deletion on request: 30-day SLA

Encryption

  • At rest: AES-256 (Cloudflare R2, D1)
  • In transit: TLS 1.3
  • Keys: Cloudflare-managed, customer-controlled optional

Access Controls

Authentication

OIDC via Cloudflare Access. SAML/OIDC federation with customer IdP. MFA enforced. Session timeout configurable.

Authorization

Role-based: Admin, Reviewer, Viewer. Tenant isolation at application and database layer (D1 per-tenant or row-level security).

Audit Logging

All assessment actions, data exports, config changes logged. Immutable log via Cloudflare Workers KV + R2. Exportable for SIEM.

Vulnerability Management

Dependabot + SBOM generation. Container scanning. Quarterly pen test (external). Bug bounty via HackerOne (planned).

Infrastructure

Platform

Cloudflare Workers (compute), D1 (SQLite), R2 (object storage), KV (edge KV), Queues, Workflows, Vectorize. No self-managed servers.

Network

Zero-trust via Cloudflare Zero Trust. No public origin IPs. WAF managed rules + custom rules. DDoS protection included.

Regional Residency

Workers regional routing (US, EU, APAC). Data stays in region. Customer chooses region at onboarding.

Business Continuity

RTO < 4 hours, RPO < 1 hour. Cross-region replication for D1/R2. Runbook tested quarterly.

Subprocessors

We use a minimal set of subprocessors. Full list available on request.

  • Cloudflare, Inc. — Infrastructure, Workers, D1, R2, KV, Queues, Vectorize (US/EU)
  • GitHub, Inc. — Source code, CI/CD (US)
  • Linear, Inc. — Issue tracking (US)
  • Notion Labs, Inc. — Internal documentation (US)

Incident Response

Classification

SEV-1 (data breach, service outage > 15 min) → 15-min acknowledgment, 1-hour customer notification

Communication

Status page, direct email to security contacts, post-incident report within 5 business days

Testing

Tabletop exercises quarterly. Red team annually. Runbook reviewed semi-annually.

Documents Available

Request any of the following via security contact form:

  • SOC 2 Type II report (when available) / Bridge letter
  • HIPAA Business Associate Agreement (BAA)
  • Data Processing Agreement (DPA) — GDPR Art. 28 compliant
  • Security Questionnaire (CAIQ / SIG Lite / custom)
  • Penetration test summary (redacted)
  • Architecture diagram & data flow diagram
  • Business continuity & disaster recovery plan summary
  • Subprocessor list (full)

Need the security packet?

We'll send the full packet within 1 business day.