Veona Veona Trust Center veonahealth.com ↗
Security

Security in depth

Veona protects hospital and patient data with layered controls that are part of the platform by design. This page describes how those controls work in practice.

Encryption

Data encryption

  • Patient and operational data is encrypted in transit using TLS across every network connection.
  • Data is encrypted at rest in databases, file storage, and backups.
  • Encryption is a default of every Veona deployment, not an add-on or premium tier.
Access control

Access control, RBAC and MFA

  • Role-based access control maps every user to the minimum permissions their role requires.
  • Least-privilege is the default: access to clinical, financial, and administrative data is scoped and separable.
  • Multi-factor authentication is supported for staff accounts to protect against credential theft.
  • Sessions and privileged actions are governed by clear authentication and authorisation checks.
Auditability

Full audit trails

  • Every record change is logged with the actor, the action, and the timestamp.
  • Audit trails are attributable and tamper-evident, supporting clinical accountability and investigations.
  • Logs support data-protection obligations such as demonstrating who accessed a patient record.
Infrastructure

Infrastructure and hosting

  • Veona deploys to in-region cloud infrastructure or on-premise at the facility, depending on the deployment model.
  • Hosting is selected to satisfy data-residency requirements in your country or region.
  • Environments are separated, and production access is restricted to authorised operators.
Network

Network security

  • Services are placed behind controlled network boundaries with restricted ingress.
  • Administrative interfaces are not exposed to the public internet by default.
  • Traffic between components is authenticated and encrypted.
Secure SDLC

Secure development

  • Security is considered through the development lifecycle, from design review to code review.
  • Dependencies are tracked and updated to address known vulnerabilities.
  • Changes follow a controlled release process before reaching production.
Resilience

Backups and disaster recovery

  • Data is backed up so a facility can recover from data loss or hardware failure.
  • Offline-first design means clinical work continues locally through connectivity interruptions and syncs when restored.
  • Recovery procedures are designed to restore service with minimal data loss.
Vuln management

Vulnerability management

  • We monitor for vulnerabilities in our platform and dependencies and remediate based on severity.
  • We welcome reports from external researchers under our responsible-disclosure programme.
  • Periodic security reviews and testing are part of our ongoing posture.
A note on certifications

What is in place, and what is a target

The encryption, access control, MFA, audit trails, and residency controls above are in place by design. ISO 27001 and SOC 2 are roadmap targets we are working toward, not certifications we currently hold. We will not claim otherwise. See Compliance.

Report a vulnerability