Bot MD

Trust

Built for hospital-grade security.

Bot MD is ISO 27001, ISO 27017, ISO 27018, and SOC 2 certified. AES-256 encryption at rest, TLS 1.3 in transit, per-tenant keys, automatic access logging, and annual independent penetration testing — built to the highest healthcare enterprise standards.

Book a security reviewSee integrations
Bot MD's compliance posture: ISO 27001, ISO 27017, and ISO 27018 information security certifications alongside AICPA SOC 2 and SOC 3 attestations, with a Bot MD doctor mascot and padlock.

Certifications

The standards we hold ourselves to.

ISO 27001
Information security
ISO 27017
Cloud security
ISO 27018
Cloud PII
SOC 2
Certified

Compliance posture

  • ISO 27001 certified (information security)
  • ISO 27017 certified (cloud security)
  • ISO 27018 certified (cloud PII protection)
  • SOC 2 certified
  • Compliant with local data privacy laws in every market we operate

Encryption

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Per-tenant encryption keys
  • Secrets managed in hardened vaults

Data residency & deployment

  • Hosted on local cloud (AWS, Google Cloud) in your region
  • On-prem or hospital-server deployments available
  • Pinned data residency per hospital
  • No cross-region data movement by default

Access control

  • Role-based access control (RBAC)
  • SSO via SAML / OIDC
  • Mandatory MFA for admin roles
  • Just-in-time access for engineering

Auditability

  • All access to Bot MD components logged automatically
  • Immutable audit trail for patient data access
  • Configurable retention policies
  • Exportable to hospital SIEM

Clinical safety

  • Doctor-tested workflow design
  • Escalation to humans on red-flag responses
  • Continuous safety evaluations
  • Audit trails for every agent decision

Operations

How we run the platform day-to-day.

Annual penetration testing

Independent third-party penetration test every year, with findings tracked to remediation. Continuous dependency scanning and coordinated disclosure with researchers in between.

Vendor management

Sub-processors are vetted, contractually bound, and documented. Full list available under NDA.

Incident response

On-call rotations, defined severity ladder, customer notification SLAs for security events.

Employee security

Background checks, mandatory security training, hardware-key 2FA, least-privilege production access.

See how Bot MD can automate one of your patient workflows in 30 minutes.

Bring us a workflow — patient inquiries, appointment booking, pre-admission, patient education, surveys, remote monitoring, or campaign conversion. We’ll show how an AI Agent can handle it across chat, integrate with your systems, and escalate safely to your team.

Book a workflow demoView case studies