Security & Compliance

Our commitment to your digital safety

We take your patient’s privacy seriously

Certified Medical Device

As a certified class I medical device, UpHill is compliant with the industry safety standards. This certification ensures that our product meets the stringent safety requirements established by regulatory bodies, offering both healthcare providers and patients the confidence that UpHill delivers reliable results.

ISO 27001:2022 certified

UpHill is built on a broad culture of security that meets the demands of the healthcare industry, as exemplified by our ISO 27001:2022 certification, awarded by the prestigious British Standards Institution, assuring our clients and partners that their sensitive healthcare information is protected with the utmost care and diligence.

Privacy protection by design

UpHill is GDPR compliant, as part of our commitment to protecting the privacy of our clients' patients' personal health information. Our rigorous adherence to the GDPR ensures that all data handling, storage, and processing activities are conducted with the highest levels of security and respect for individuals' data rights.

UpHill is compliant with relevant industry-standard certifications


When it comes to privacy and security, we noticed not only the safeguarding of standards and best practices but their true implementation.

Carlos Sousa

ICT Manager, Hospital da Cruz Vermelha

Safety: the cornerstone of all steps in our data journey.

Bulletproof monitoring processes & third party audits

Internal monitoring for threats and attempted attacks, infrastructure, and code vulnerabilities on a daily basis.

Multiple third-party penetration tests yearly, including manual penetration testing on our software.

Code audits performed regularly to find and address any security vulnerabilities.

Data encryption and storage

All data is encrypted in transit (TLS 1.2 SHA256-RSA) and in storage (AES256). Backups are also encrypted and stored in a separate location.

Data is stored in the European Cloud at Amazon Web Services, which is compliant with the most demanding safety requirements.

Application containers and databases are in private subnets, inaccessible from the outside.

Access restricted to the application and interoperability mechanisms, served through API gateways.

In-house security-driven mindset

To address the industry security priorities, UpHill also engage employees in safety practices.

UpHill staff must comply with internal use policy prior in order to gain access to any protected software or data.

In-house safety practices includes using strong passwords, encrypting devices, enabling multi-factor authentication, and undergoing security training.