Built for Healthcare Compliance
Trust & Security
Compliance and Certification
Natoe AI is built from the ground up for healthcare regulatory compliance. Every certification below is maintained continuously — not just at onboarding.
HIPAA Compliant
All data transmission, storage, and access at Natoe AI complies with HIPAA Privacy Rule and Security Rule requirements. We execute Business Associate Agreements (BAAs) with all client facilities before any PHI is transmitted. Our workforce undergoes annual HIPAA training and our platform is audited for HIPAA compliance on an ongoing basis.
FDA-Cleared AI
The AI algorithms used in our teleradiology workflow hold FDA 510(k) clearance for the specific clinical indications in which they are applied — including chest X-ray, intracranial hemorrhage detection, and pulmonary embolism flagging. We do not use unapproved AI in clinical workflows.
SOC2 Type II Certified
Our platform has completed SOC2 Type II audit covering security, availability, processing integrity, confidentiality, and privacy. SOC2 Type II certification confirms that our security controls function effectively over time — not just at a point-in-time assessment.
State Licensure for All Radiologists
Every radiologist reading studies through Natoe AI holds an active medical license in the state where the imaging center is located. We do not operate across state license boundaries. Licensure is verified continuously and updated before any expiration.
Built for Healthcare Compliance
Measurable trust infrastructure behind every read
100%
Studies transmitted over encrypted connections
BAA
Business Associate Agreement available on Day 1
SOC2
Type II certified security and availability controls
FDA
510(k) cleared AI in every clinical workflow
Start with a Compliance Conversation
How We Protect Your Patient Data
Every study that passes through Natoe AI is treated as Protected Health Information (PHI) under HIPAA. Transmission from your PACS to our platform uses TLS 1.3 encryption in transit. Studies at rest are encrypted using AES-256. Access to PHI is role-based and logged — every access event is recorded and available for audit.
We do not store studies longer than contractually required. After the agreed retention period, studies are permanently deleted from our systems in a HIPAA-compliant manner, with deletion certificates available on request.
Our Business Associate Agreement (BAA) is available before any data sharing begins. We do not operate in a BAA-optional model — every client facility executes a BAA as a condition of service. The BAA clearly delineates permitted uses of PHI, breach notification responsibilities, and sub-contractor obligations for our radiologist network.
Frequently Asked Questions
Does Natoe AI sign a BAA with every client?
Yes. A Business Associate Agreement (BAA) is required before any Protected Health Information is transmitted to Natoe AI. We do not operate under a BAA-optional model. The BAA is available for review before contract signing.
Is Natoe AI's AI FDA-cleared?
Yes. The AI algorithms used in our clinical workflow hold FDA 510(k) clearance for their specific indications — chest X-ray analysis, intracranial hemorrhage detection, and pulmonary embolism flagging. We do not use experimental or unapproved AI in patient-facing workflows.
Is Natoe AI SOC2 certified?
Yes. Natoe AI has completed a SOC2 Type II audit, which assesses security, availability, processing integrity, confidentiality, and privacy controls over a defined audit period — not just at a single point in time. SOC2 Type II reports are available to enterprise clients under NDA.
Are studies encrypted in transit and at rest?
Yes. All study transmission uses TLS 1.3 encryption. Studies stored on our platform use AES-256 encryption at rest. Access is role-based and every access event is logged for audit purposes.
Do your radiologists hold state licenses in our state?
Yes. We verify active state licensure for every radiologist before they read any study in your state. We do not allow cross-state reads without valid licensure. Licensure is monitored continuously and updated before expiration.