Our Approach to Patient Data Security

Patient data security in healthcare imaging is not simply a matter of encryption and access controls. It begins with a fundamental question: where does the data live, and who controls it? Dermi Atlas was architected around the principle that patient imaging data should remain within the clinical environment that creates it.

Data Sovereignty by Design

Dermi Atlas Professional is deployed on infrastructure owned and operated by the healthcare practice. Patient images, records, and metadata are stored locally. No patient data is transmitted to external cloud servers, third-party analytics services, or remote processing systems. This is not a configurable option; it is the fundamental architecture of the platform.

This local-first approach means the practice maintains full custody of its data at all times. There is no dependency on external service availability for accessing patient records. If internet connectivity is lost, Dermi Atlas Professional continues to function without interruption.

Encryption in Transit

All communication between client devices and the Dermi Atlas server is encrypted using TLS. This includes both HTTPS for the web application and WSS (WebSocket Secure) for real-time synchronization. Dermi Atlas Manager provides automated self-signed certificate generation, with automatic detection of IP address changes and certificate rotation when needed.

Audit Logging

Dermi Atlas includes a configurable audit logging system that records access to patient data, authentication events, and administrative actions. Audit logs support compliance requirements by providing a verifiable record of system activity. Detailed configuration options are documented in the Audit Logging Configuration guide.

Compliance-Ready Architecture

The security architecture of Dermi Atlas is designed to support compliance with major healthcare privacy regulations, including:

• HIPAA (United States) with technical safeguards for access control, audit logging, and encryption
• PIPEDA (Canada) with data sovereignty and consent management capabilities
• Provincial privacy laws (such as Ontario PHIPA and Alberta HIA) with locally-controlled data storage and access management

Detailed compliance guidance is available in the HIPAA Compliance Guide, PIPEDA Compliance Guide, and Data Security Architecture documentation.

No Data Monetization

Dermi does not monetize patient data in any form. There is no aggregation, no de-identification for resale, and no use of patient information for purposes outside of the direct clinical care relationship. The business model is based on software licensing, not data exploitation.