Security & Compliance

Our commitment to your digital safety

We take your patient’s privacy seriously

Medical Device

For us, quality and safety come first, and as a certified class I medical device, UpHill is compliant with the industry safety standards.

Privacy protection by design

UpHill is GDPR compliant, as part of our commitment to protecting the privacy of our clients’ patients’ personal health information.

Security first

UpHill is built on a broad culture of security, and we have the highest of considerations in the various steps of the data journey.

UpHill is compliant with relevant industry-standard certifications


When it comes to privacy and security, we noticed not only the safeguarding of standards and best practices but their true implementation.

Carlos Sousa

ICT Manager, Hospital da Cruz Vermelha

Safety: the cornerstone of all steps in our data journey.

Bollerproof monitoring processes & third party audits

Internal monitoring for threats and attempted attacks, infrastructure, and code vulnerabilities on a daily basis.

Multiple third-party penetration tests yearly, including manual penetration testing on our software.

Code audits performed regularly to find and address any security vulnerabilities.

Data encryption and storage

All data is encrypted in transit (TLS 1.2 SHA256-RSA) and in storage (AES256). Backups are also encrypted and stored in a separate location.

Data is stored in the European Cloud at Amazon Web Services, which is compliant with the most demanding safety requirements.

Application containers and databases are in private subnets, inaccessible from the outside.

Access restricted to the application and interoperability mechanisms, served through API gateways.

In-house security-driven mindset

To address the industry security priorities, UpHill also engage employees in safety practices.

UpHill staff must comply with internal use policy prior in order to gain access to any protected software or data.

In-house safety practices includes using strong passwords, encrypting devices, enabling multi-factor authentication, and undergoing security training.