Data residency
Patient data is hosted in-region. We don't move clinical data out of its region for processing, and deployment in your jurisdiction is available on request.
Home / Security
Security & compliance, engineered for the inspection day.
Clinical data deserves more than a privacy policy. Here's how Catenix is built to keep patient data safe, access controlled, and every action accountable.
Regional data residency
GDPR-aligned
Encryption in transit & at rest
Role-based access control
Tamper-evident audit trail
21 CFR Part 11-style controls
Need the forwardable version? Read the Trust Centre fact sheet → — residency, encryption, access control, audit and regulatory status on one page.
Encryption
TLS in transit; encryption at rest. Secrets are managed, not embedded, and gateway connections are key-authenticated.
Access control
Role-based access control with per-tenant isolation enforced at both the application and data layers — never just one.
Audit & traceability
A tamper-evident log of every state-changing action, and wire-level lineage from each result back to the device frame that produced it.
Identity & sign-off
Operators authenticate individually and release results against their own identity — never a shared account. Failed-login lockout is built in.
Resilience
Supervised edge listeners auto-restart, results buffer and retry through brief outages, and every deployment is build-stamped.
Frameworks we build toward
One control set, several frameworks.
Catenix is designed around the controls these frameworks expect. Where a framework requires formal certification, that status is shared directly with prospective customers under NDA.
GDPR & data-protection law
Lawful processing, data-subject rights, and a Data Processing Agreement available to customers.
ISO 27001 principles
Information-security management built around the ISO 27001 control families.
ISO 15189-aware
Designed with medical-laboratory quality expectations in mind — QC, competency, traceability.
21 CFR Part 11-style
Electronic records and signatures: unique identity, audit trail, controlled changes.
Baseline security controls
Technical controls aligned to recognised industry security baselines.
Healthcare governance frameworks
Structured to support healthcare information-governance and clinical-safety assessments — including the UK's NHS DSPT and DTAC.
Scope & intended use
Catenix is not a medical device.
Catenix performs connectivity, workflow, record-keeping and data display. It transports, stores and presents results exactly as the analyser produced them. It does not interpret results, calculate clinical values, classify or flag results clinically, or provide clinical decision support. Clinical interpretation remains with the qualified professional and the analyser that generated the result.
Questions, answered
What procurement asks first.
Where is patient data hosted?
Catenix offers regional data residency — data is hosted in-region, encrypted in transit and at rest, with access controlled by role. Deployment in your jurisdiction is available on request.
Is Catenix a medical device?
No. Catenix performs connectivity, workflow, record-keeping and data display. It does not interpret results, calculate clinical values or provide clinical decision support, and is not a medical device for those purposes.
How do you handle audit and traceability?
Every state-changing action is recorded in a tamper-evident audit trail — who, when, from where and what changed — and every result can be traced to the exact device message that produced it.
Responsible disclosure
Found something? Tell us.
If you believe you've found a security vulnerability in Catenix, please email security@catenix.com. We'll acknowledge your report, investigate promptly, and keep you updated. Please give us reasonable time to remediate before any public disclosure.
For data-protection enquiries, including a Data Processing Agreement or sub-processor list, contact contact@catenix.com.