Trust & Security
PostDICOM stores and processes millions of medical images across 30+ countries. This page documents our security architecture, independent certifications, and compliance practices — so you can make an informed decision.
Security Architecture
PostDICOM applies security controls at the encryption, identity, infrastructure, and payment layers — because security is not a feature, it is the foundation on which the platform is engineered.
Protected health information (PHI) is secured using AES-256 encryption at rest. All data in transit — between your imaging devices, browsers, and our cloud — is protected via TLS 1.2/1.3.
Role-based access control (RBAC) lets you grant each team member precisely scoped permissions. Two-factor authentication (2FA) is supported for all accounts. Views, uploads, shares, and administrative actions are recorded in an audit log retained during your active subscription.
PostDICOM runs on Microsoft Azure — one of the world's most widely used enterprise cloud platforms. Your data is stored within the region you select at account setup. Microsoft Azure holds ISO 27001, SOC 2, and HIPAA compliance certifications across its global infrastructure.
Payment processing is handled exclusively by Stripe, a PCI DSS Level 1 certified provider. PostDICOM does not store, transmit, or process credit card numbers on its own servers. All new subscriptions use Stripe Setup Intents with 3D Secure (SCA) authentication, verifying your card is valid and authorised before your trial begins.
Yes. PostDICOM utilizes 12 independent Microsoft Azure regions so you can select the jurisdiction where your patient data is stored — supporting regional healthcare data laws that require records to remain within specific geographic boundaries.
When you configure your PostDICOM account, you select your primary region. Your DICOM files, databases, and logs are designed to remain within that selected jurisdiction.
Microsoft Azure Backbone
European Union
Frankfurt (Germany)
Paris (France)
United States
New York City (USA)
Los Angeles (USA)
Dallas (USA)
United Kingdom
London (United Kingdom)
Switzerland
Zurich (Switzerland)
Canada
Montreal (Canada)
Asia & Pacific
Singapore
Sydney (Australia)
Pune (India)
South America
São Paulo (Brazil)
Certifications
PostDICOM holds CE Mark Class IIb, ISO 27001, ISO 13485, ISO 9001, and ISO 15504 certifications awarded by independent third-party audit bodies — not self-assessed. Each represents an ongoing commitment, not a one-time achievement.
The CE Mark, ISO 27001, ISO 13485, ISO 9001, and ISO 15504 certifications are held by Ekstrem Bir Bilgisayar Danışmanlık İç ve Dış Ticaret Limited Şirketi, the certified legal manufacturer of the PostDICOM software. HIPAA and GDPR entries reflect compliant architecture design, not third-party certifications.
CE Mark — Class IIb
1984-MDD-10-057
PostDICOM is CE-marked as a Class IIb medical device under the Medical Device Directive (MDD 93/42/EEC).
ISO 27001:2022
Information Security Management
Independent third-party audit of our information security management system (ISMS) covering risk management, access control, incident response, and business continuity.
ISO 13485:2016
Medical Device Quality Management
Certification of our quality management system specific to the design, development, and post-market surveillance of medical devices.
ISO 9001:2015
Quality Management System
General quality management certification covering consistent delivery of services that meet customer and regulatory requirements.
ISO 15504 / SPICE
Level 2 — Software Process Capability
Assessment of our software development process capability at Level 2 (Managed Process), confirming that software development is planned, monitored, and adjusted to meet defined objectives.
HIPAA Compliant Architecture
United States Health Data
PostDICOM's infrastructure is architected to support HIPAA-compliant healthcare data workflows. All PHI is encrypted at rest and in transit, access is logged, and systems are deployed on Microsoft Azure in US-based data centres for US-region customers.
GDPR Compliant Architecture
European & Global Data Protection
PostDICOM B.V. is incorporated in the Netherlands and operates within the European Union legal framework. Patient data for EU customers is stored in EU-based Azure regions.
Regulatory Roadmap
PostDICOM is currently CE-marked as a Class IIb medical device and is actively progressing toward EU MDR compliance. Below is a transparent overview of where we stand today and where we are headed.
1984-MDD-10-057
PostDICOM is currently CE-marked under the Medical Device Directive (MDD 93/42/EEC) as a Class IIb medical imaging software. This certification is active and maintained.
Medical Device Regulation (EU) 2017/745
The Medical Device Directive is being superseded by the Medical Device Regulation (MDR). PostDICOM's legal manufacturer is actively engaged in the MDR transition process. Target completion: 2028.
Sub-Processors
PostDICOM relies on a small number of carefully selected providers — Microsoft Azure for cloud infrastructure and Stripe for payment processing. Below is a complete list of the key sub-processors we use.
Corporate Transparency
PostDICOM operates through two entities: PostDICOM B.V. (Netherlands), the global commercial and licensing entity, and Ekstrem Bir Bilgisayar Danışmanlık, the certified legal manufacturer. This clearly defined structure separates commercial licensing from regulated software manufacturing.
Global Headquarters
PostDICOM B.V. is the entity you contract with when you purchase a PostDICOM subscription. It is responsible for customer agreements, invoicing, and data protection matters.
Technology & R&D Center
Ekstrem Bir Bilgisayar Danışmanlık İç ve Dış Ticaret Limited Şirketi is the certified legal manufacturer of the PostDICOM software. It holds all medical device certifications and is responsible for software engineering, quality management, and regulatory compliance of the PostDICOM platform.
Straightforward answers to common due-diligence questions.
Yes. PostDICOM's infrastructure and processes are architected to support HIPAA-compliant workflows: PHI is encrypted at rest (AES-256) and in transit (TLS 1.2/1.3), access is controlled via role-based permissions and two-factor authentication, and all activity is recorded in an audit log. Note that 'HIPAA certification' does not exist as an official standard — HIPAA compliance is a set of practices, not a certificate awarded by a third party.
When you create your PostDICOM account, you select your primary storage location from 12 independent Microsoft Azure regions: EU (Germany (Frankfurt), France (Paris)), USA (East, West, South Central), UK (London), Switzerland (Zurich), Canada (Montreal), Asia-Pacific (Singapore, Australia (Sydney), India (Pune)), and South America (Brazil(São Paulo)). Your data is hosted within your selected jurisdiction to help you meet local data residency requirements and comply with regional healthcare privacy laws (such as GDPR or HIPAA).
Before cancelling your subscription, download all patient data you wish to retain — including DICOM studies, medical images, documents, and any other uploaded files. When your subscription ends, all remaining patient data is permanently deleted from our systems. There is no grace period after cancellation. Your account record is retained for accounting and invoicing purposes only.
By submitting this form, you agree to our Privacy Policy. Your data is processed in accordance with our Privacy Policy and applicable data protection laws.