AuraMed Security Policy

1Article 1. Purpose and nature of the document

(1)This Security Policy (the “Policy”) describes the general principles, organizational and technical measures, and security governance rules applicable to the AuraMed platform (the “Platform”), operated by PTECHIT SRL, with registered office at Bdul. Mamaia Nord 14, CORP B2, Floor 2, Apt. 38, Navodari, Constanta County, postal code 905700, Romania, registered with the Trade Register under no. J2025043440008, tax identification code 51988476, EUID ROONRC.J2025043440008, e-mail contact@auramed.ro, telephone +40 750 484 004.
(2)The Policy has a public information and transparency role and does not exhaustively describe all controls, configurations, internal procedures, architectures, logs, alerting thresholds, defensive mechanisms or operational plans applied by AuraMed.
(3)AuraMed implements and updates security measures according to the nature, purpose, context and risks of processing, as well as technological evolution, threats and applicable legal obligations.
(4)In interpreting and applying this Policy, AuraMed takes into account, in particular, the principle of integrity and confidentiality provided by Article 5(1)(f) GDPR, the controller’s general obligation provided by Article 24(1)-(2) GDPR and the obligation to integrate data protection by design and by default, according to Article 25(1)-(2) GDPR.

2Article 2. Relevant legal framework

(1)This Policy is interpreted together with:
a)Regulation (EU) 2016/679 (“GDPR”);
b)Romanian Law no. 190/2018 on measures for implementing the GDPR;
c)Romanian and European legislation applicable to cybersecurity;
d)where applicable, legislation regarding electronic communications, confidentiality, business continuity and incident management.
(2)With regard to the security of personal data processing, AuraMed takes into account in particular:
a)Article 24 GDPR – responsibility of the controller;
b)Article 25 GDPR – data protection by design and by default;
c)Article 28 GDPR – selection of processors and contractual obligations;
d)Article 30 GDPR – records of processing activities;
e)Article 32 GDPR – security of processing;
f)Articles 33-34 GDPR – notification of security breaches;
g)Article 35 GDPR – data protection impact assessment;
h)Articles 37-39 GDPR – the data protection officer, where applicable.
(3)In cybersecurity matters, AuraMed also follows the applicable requirements, to the extent they become relevant to its operational model, including those resulting from Directive (EU) 2022/2555 (NIS2) and its transposition into Romanian law by Government Emergency Ordinance no. 155/2024, approved by Law no. 124/2025.

3Article 3. Security principles applied by AuraMed

(1)AuraMed applies a risk-based, proportionate and minimization-oriented approach, so that the level of security is appropriate to the nature of the data, including health data, the volume of processing, the purposes pursued and the potential impact on data subjects.
(2)Security measures cumulatively aim to ensure:
a)confidentiality of data;
b)integrity of data and systems;
c)availability of services and legitimate access;
d)resilience of infrastructure;
e)detection, response and remediation of incidents;
f)traceability and audit capability.
(3)AuraMed also pursues, where applicable, an “all-hazards” approach to cyber and operational risks, including in relation to software development, the supply chain, business continuity, vulnerabilities and secure communications. NIS2 requires exactly a proportionate, risk-based approach and lists among the minimum elements: risk analysis, incident handling, business continuity, supply chain security, secure acquisition/development/maintenance, vulnerability handling and disclosure, training and cryptography / where appropriate, encryption.

4Article 4. Technical and organizational measures

(1)In accordance with Article 32(1) GDPR, AuraMed implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
(2)These measures may include, where applicable:
a)pseudonymization and/or encryption of data;
b)role-based access control and need-to-know access;
c)segregation of development, test and production environments;
d)strengthened authentication and, where appropriate, multifactor authentication;
e)monitoring, logging and auditing of access;
f)endpoint protection, security updates and patch management;
g)backup, restoration and recovery plans;
h)periodic testing of the effectiveness of measures;
i)controls regarding export, transfer and deletion of data;
j)continuity and incident-response procedures.
(3)According to Article 32(1)(a)-(d) GDPR, the examples expressly provided by law include pseudonymization and encryption, the ability to ensure ongoing confidentiality, integrity, availability and resilience, timely restoration of availability and access to data, and a process for regularly testing, assessing and evaluating the effectiveness of the measures.
(4)AuraMed does not guarantee absolute security, but aims to maintain an adequate, updated and documented level of protection under Articles 24 and 32 GDPR. ANSPDCP has reiterated in its practice that the absence of elementary security controls and testing of effectiveness may lead to sanctions under Articles 24 and 32 GDPR.

5Article 5. Access control and staff confidentiality

(1)AuraMed limits access to data and systems only to authorized persons who have a legitimate and documented need for access in order to perform their duties.
(2)Access is granted, reviewed and withdrawn according to roles, responsibilities, the “least privilege” principle and the principle of separation of duties, where applicable.
(3)Persons acting under AuraMed’s authority who may have access to data are bound by contractual, legal or professional confidentiality and may process data only according to applicable instructions and policies.
(4)Article 32(4) GDPR expressly requires the controller and processor to take steps to ensure that any person acting under their authority who has access to data does not process it except on instructions from the controller, unless required to do so by law.

6Article 6. Secure design, development and providers

(1)AuraMed aims to integrate security and data protection from the stages of design, selection, development, configuration, implementation and modification of the Platform, according to Article 25(1)-(2) GDPR.
(2)To the extent AuraMed uses IT, cloud, hosting, communications, security, AI, analytics, support or other relevant subcontractors, their selection is carried out taking into account their guarantees regarding security and data protection.
(3)When a third party acts as a processor, AuraMed uses, under Article 28(1) and (3) GDPR, only providers that offer sufficient guarantees and enters into the necessary contractual documentation, including regarding confidentiality, security measures, subprocessors, incident assistance, deletion/return and audit.
(4)To the extent AuraMed falls within the scope of NIS2/Government Emergency Ordinance no. 155/2024, security governance will also include requirements regarding supply chain security and secure acquisition, development and maintenance, including vulnerability handling and disclosure.

7Article 7. Health data and high level of protection

(1)To the extent AuraMed processes health data, such data is treated as special-category data within the meaning of Article 9(1) GDPR and benefits from enhanced protection measures.
(2)AuraMed aims to apply, depending on the real processing context:
a)data minimization;
b)access limitation;
c)pseudonymization, where appropriate;
d)limited retention;
e)logical separation of flows and logs;
f)enhanced controls for medical documents and sensitive conversations.
(3)AuraMed adapts its security measures to the particularly sensitive nature of health data, in accordance with Article 9(1)-(2) GDPR and the general security obligation provided by Article 32 GDPR. ANSPDCP expressly states that health data forms part of the special categories and may be processed only under the conditions of Article 9(2) GDPR.

8Article 8. Records, impact assessments and governance

(1)AuraMed maintains, to the extent applicable, records of processing activities in accordance with Article 30 GDPR and documents the relevant security and compliance measures.
(2)If a processing operation is likely to result in a high risk to the rights and freedoms of natural persons, AuraMed carries out a data protection impact assessment (DPIA) under Article 35 GDPR before launching or extending that processing.
(3)Article 35 GDPR indicates, among typical cases, large-scale processing of special categories of data, and the EDPB emphasizes that a DPIA is a written assessment intended to identify risks and appropriate safeguards. ANSPDCP includes DPIA among the controller’s key obligations.

9Article 9. Data protection officer and security function

(1)AuraMed periodically assesses whether the obligation to appoint a Data Protection Officer (DPO) applies, especially in relation to Article 37(1)(b) and (c) GDPR.
(2)According to Article 37(1) GDPR, appointing a DPO is required, among other cases, when:
a)the core activities involve large-scale regular and systematic monitoring; or
b)the core activities involve large-scale processing of special categories of data, including health data.
(3)If a DPO is appointed, AuraMed ensures their proper and timely involvement in all issues relating to data protection, in accordance with Article 38(1) and (3) GDPR, and their tasks also include advice regarding DPIA and monitoring compliance, pursuant to Article 39(1)(b)-(c) GDPR.

10Article 10. Monitoring, testing and continuous improvement

(1)AuraMed applies periodic processes for checking, testing, evaluating and improving technical and organizational controls, in accordance with Article 32(1)(d) GDPR.
(2)These processes may include, where applicable:
a)access reviews;
b)configuration checks;
c)vulnerability assessments;
d)internal or external audits;
e)incident-response exercises;
f)backup and restoration checks;
g)training and awareness for personnel.
(3)ANSPDCP explicitly mentions among the necessary measures the existence of a process for regularly testing, assessing and evaluating the effectiveness of security measures, and NIS2 also requires policies/procedures for assessing the effectiveness of cybersecurity risk-management measures.

11Article 11. Business continuity, backup and disaster recovery

(1)AuraMed aims to maintain business continuity and operational resilience through proportionate backup, restoration, redundancy, recovery and crisis-management measures, in relation to the nature of the services provided.
(2)Article 32(1)(c) GDPR requires the ability to restore the availability of personal data and access to it in a timely manner in the event of a physical or technical incident.
(3)To the extent NIS2/Government Emergency Ordinance no. 155/2024 applies, AuraMed also aims to integrate business continuity, backup management, disaster recovery and crisis management measures, which form part of the minimum core of Article 21 NIS2. DNSC also publishes dedicated guidelines for disaster recovery policies in the context of Government Emergency Ordinance no. 155/2024, approved by Law no. 124/2025.

12Article 12. Management of security incidents and data breaches

(1)AuraMed maintains internal procedures for identifying, assessing, escalating, containing, investigating, remediating and documenting security incidents.
(2)AuraMed distinguishes between:
a)a cybersecurity / operational incident, which affects or may affect systems, services or business continuity; and
b)a personal data breach, within the meaning of Article 4(12) GDPR, which may involve destruction, loss, alteration, unauthorized disclosure or unauthorized access to data.
(3)In the event of a personal data breach, AuraMed applies Article 33 GDPR and notifies the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
(4)If the breach is likely to result in a high risk to the rights and freedoms of natural persons, AuraMed also communicates the incident to the data subject under Article 34(1) GDPR.
(5)Article 33(3) GDPR requires the notification to include at least the nature of the breach, the categories and approximate number of data subjects and records affected, the contact details of the contact point/DPO, the likely consequences and the measures taken or proposed; Article 33(5) also requires documentation of all breaches. ANSPDCP provides the notification form for a security breach under GDPR.

13Article 13. Cyber incident reporting to the extent NIS2 applies

(1)To the extent AuraMed falls within the scope of NIS2 and Romanian transposition legislation, significant incidents will also be managed and reported according to the applicable sectoral cybersecurity rules.
(2)Under the NIS2 framework, in-scope entities have multi-stage reporting obligations: early warning within 24 hours of becoming aware, notification within 72 hours and a final report, generally within one month.
(3)Through this Policy, AuraMed does not automatically state that it qualifies as an essential or important entity within the meaning of NIS2/Government Emergency Ordinance no. 155/2024; this qualification is analyzed separately, depending on actual activities, sector, size and applicable legal criteria.

14Article 14. User responsibilities

(1)Users of the Platform are required to use reasonably secure services and devices, protect credentials, avoid unauthorized sharing of accounts or access links and inform us without delay if they suspect unauthorized use or a vulnerability.
(2)Users must not upload malicious code, attempt to bypass security measures, perform unauthorized testing, scraping, prohibited reverse engineering, privilege-escalation attempts or any other actions likely to affect the availability, integrity or confidentiality of the Platform.
(3)AuraMed reserves the right to suspend, limit or block access in the event of activities that pose a security risk or violate the law or applicable contractual documentation.

15Article 15. Vulnerability reporting

(1)If you identify a vulnerability, abnormal behavior, insecure configuration or security incident related to the Platform, please contact us at: dev@auramed.ro.
(2)AuraMed encourages responsible and good-faith disclosure of vulnerabilities and may analyze, validate, prioritize and remediate reported issues depending on severity and impact.
(3)To the extent NIS2 applies, vulnerability handling and disclosure are among the elements expressly mentioned by the European cyber risk-management framework.

16Article 16. Review and update of the policy

(1)AuraMed may review and update this Policy for legal, technical, operational or commercial reasons.
(2)Any updated version will be published on the Platform, with the date of the last update indicated.
(3)Relevant changes may also be correlated with changes in the technical architecture, providers, data flows, GDPR obligations, the NIS2 framework or current cyber threats.

1Article 1. Purpose and nature of the document

(1)This Security Policy (the “Policy”) describes the general principles, organizational and technical measures, and security governance rules applicable to the AuraMed platform (the “Platform”), operated by PTECHIT SRL, with registered office at Bdul. Mamaia Nord 14, CORP B2, Floor 2, Apt. 38, Navodari, Constanta County, postal code 905700, Romania, registered with the Trade Register under no. J2025043440008, tax identification code 51988476, EUID ROONRC.J2025043440008, e-mail contact@auramed.ro, telephone +40 750 484 004.
(2)The Policy has a public information and transparency role and does not exhaustively describe all controls, configurations, internal procedures, architectures, logs, alerting thresholds, defensive mechanisms or operational plans applied by AuraMed.
(3)AuraMed implements and updates security measures according to the nature, purpose, context and risks of processing, as well as technological evolution, threats and applicable legal obligations.
(4)In interpreting and applying this Policy, AuraMed takes into account, in particular, the principle of integrity and confidentiality provided by Article 5(1)(f) GDPR, the controller’s general obligation provided by Article 24(1)-(2) GDPR and the obligation to integrate data protection by design and by default, according to Article 25(1)-(2) GDPR.

2Article 2. Relevant legal framework

(1)This Policy is interpreted together with:
a)Regulation (EU) 2016/679 (“GDPR”);
b)Romanian Law no. 190/2018 on measures for implementing the GDPR;
c)Romanian and European legislation applicable to cybersecurity;
d)where applicable, legislation regarding electronic communications, confidentiality, business continuity and incident management.
(2)With regard to the security of personal data processing, AuraMed takes into account in particular:
a)Article 24 GDPR – responsibility of the controller;
b)Article 25 GDPR – data protection by design and by default;
c)Article 28 GDPR – selection of processors and contractual obligations;
d)Article 30 GDPR – records of processing activities;
e)Article 32 GDPR – security of processing;
f)Articles 33-34 GDPR – notification of security breaches;
g)Article 35 GDPR – data protection impact assessment;
h)Articles 37-39 GDPR – the data protection officer, where applicable.
(3)In cybersecurity matters, AuraMed also follows the applicable requirements, to the extent they become relevant to its operational model, including those resulting from Directive (EU) 2022/2555 (NIS2) and its transposition into Romanian law by Government Emergency Ordinance no. 155/2024, approved by Law no. 124/2025.

3Article 3. Security principles applied by AuraMed

(1)AuraMed applies a risk-based, proportionate and minimization-oriented approach, so that the level of security is appropriate to the nature of the data, including health data, the volume of processing, the purposes pursued and the potential impact on data subjects.
(2)Security measures cumulatively aim to ensure:
a)confidentiality of data;
b)integrity of data and systems;
c)availability of services and legitimate access;
d)resilience of infrastructure;
e)detection, response and remediation of incidents;
f)traceability and audit capability.
(3)AuraMed also pursues, where applicable, an “all-hazards” approach to cyber and operational risks, including in relation to software development, the supply chain, business continuity, vulnerabilities and secure communications. NIS2 requires exactly a proportionate, risk-based approach and lists among the minimum elements: risk analysis, incident handling, business continuity, supply chain security, secure acquisition/development/maintenance, vulnerability handling and disclosure, training and cryptography / where appropriate, encryption.

4Article 4. Technical and organizational measures

(1)In accordance with Article 32(1) GDPR, AuraMed implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
(2)These measures may include, where applicable:
a)pseudonymization and/or encryption of data;
b)role-based access control and need-to-know access;
c)segregation of development, test and production environments;
d)strengthened authentication and, where appropriate, multifactor authentication;
e)monitoring, logging and auditing of access;
f)endpoint protection, security updates and patch management;
g)backup, restoration and recovery plans;
h)periodic testing of the effectiveness of measures;
i)controls regarding export, transfer and deletion of data;
j)continuity and incident-response procedures.
(3)According to Article 32(1)(a)-(d) GDPR, the examples expressly provided by law include pseudonymization and encryption, the ability to ensure ongoing confidentiality, integrity, availability and resilience, timely restoration of availability and access to data, and a process for regularly testing, assessing and evaluating the effectiveness of the measures.
(4)AuraMed does not guarantee absolute security, but aims to maintain an adequate, updated and documented level of protection under Articles 24 and 32 GDPR. ANSPDCP has reiterated in its practice that the absence of elementary security controls and testing of effectiveness may lead to sanctions under Articles 24 and 32 GDPR.

5Article 5. Access control and staff confidentiality

(1)AuraMed limits access to data and systems only to authorized persons who have a legitimate and documented need for access in order to perform their duties.
(2)Access is granted, reviewed and withdrawn according to roles, responsibilities, the “least privilege” principle and the principle of separation of duties, where applicable.
(3)Persons acting under AuraMed’s authority who may have access to data are bound by contractual, legal or professional confidentiality and may process data only according to applicable instructions and policies.
(4)Article 32(4) GDPR expressly requires the controller and processor to take steps to ensure that any person acting under their authority who has access to data does not process it except on instructions from the controller, unless required to do so by law.

6Article 6. Secure design, development and providers

(1)AuraMed aims to integrate security and data protection from the stages of design, selection, development, configuration, implementation and modification of the Platform, according to Article 25(1)-(2) GDPR.
(2)To the extent AuraMed uses IT, cloud, hosting, communications, security, AI, analytics, support or other relevant subcontractors, their selection is carried out taking into account their guarantees regarding security and data protection.
(3)When a third party acts as a processor, AuraMed uses, under Article 28(1) and (3) GDPR, only providers that offer sufficient guarantees and enters into the necessary contractual documentation, including regarding confidentiality, security measures, subprocessors, incident assistance, deletion/return and audit.
(4)To the extent AuraMed falls within the scope of NIS2/Government Emergency Ordinance no. 155/2024, security governance will also include requirements regarding supply chain security and secure acquisition, development and maintenance, including vulnerability handling and disclosure.

7Article 7. Health data and high level of protection

(1)To the extent AuraMed processes health data, such data is treated as special-category data within the meaning of Article 9(1) GDPR and benefits from enhanced protection measures.
(2)AuraMed aims to apply, depending on the real processing context:
a)data minimization;
b)access limitation;
c)pseudonymization, where appropriate;
d)limited retention;
e)logical separation of flows and logs;
f)enhanced controls for medical documents and sensitive conversations.
(3)AuraMed adapts its security measures to the particularly sensitive nature of health data, in accordance with Article 9(1)-(2) GDPR and the general security obligation provided by Article 32 GDPR. ANSPDCP expressly states that health data forms part of the special categories and may be processed only under the conditions of Article 9(2) GDPR.

8Article 8. Records, impact assessments and governance

(1)AuraMed maintains, to the extent applicable, records of processing activities in accordance with Article 30 GDPR and documents the relevant security and compliance measures.
(2)If a processing operation is likely to result in a high risk to the rights and freedoms of natural persons, AuraMed carries out a data protection impact assessment (DPIA) under Article 35 GDPR before launching or extending that processing.
(3)Article 35 GDPR indicates, among typical cases, large-scale processing of special categories of data, and the EDPB emphasizes that a DPIA is a written assessment intended to identify risks and appropriate safeguards. ANSPDCP includes DPIA among the controller’s key obligations.

9Article 9. Data protection officer and security function

(1)AuraMed periodically assesses whether the obligation to appoint a Data Protection Officer (DPO) applies, especially in relation to Article 37(1)(b) and (c) GDPR.
(2)According to Article 37(1) GDPR, appointing a DPO is required, among other cases, when:
a)the core activities involve large-scale regular and systematic monitoring; or
b)the core activities involve large-scale processing of special categories of data, including health data.
(3)If a DPO is appointed, AuraMed ensures their proper and timely involvement in all issues relating to data protection, in accordance with Article 38(1) and (3) GDPR, and their tasks also include advice regarding DPIA and monitoring compliance, pursuant to Article 39(1)(b)-(c) GDPR.

10Article 10. Monitoring, testing and continuous improvement

(1)AuraMed applies periodic processes for checking, testing, evaluating and improving technical and organizational controls, in accordance with Article 32(1)(d) GDPR.
(2)These processes may include, where applicable:
a)access reviews;
b)configuration checks;
c)vulnerability assessments;
d)internal or external audits;
e)incident-response exercises;
f)backup and restoration checks;
g)training and awareness for personnel.
(3)ANSPDCP explicitly mentions among the necessary measures the existence of a process for regularly testing, assessing and evaluating the effectiveness of security measures, and NIS2 also requires policies/procedures for assessing the effectiveness of cybersecurity risk-management measures.

11Article 11. Business continuity, backup and disaster recovery

(1)AuraMed aims to maintain business continuity and operational resilience through proportionate backup, restoration, redundancy, recovery and crisis-management measures, in relation to the nature of the services provided.
(2)Article 32(1)(c) GDPR requires the ability to restore the availability of personal data and access to it in a timely manner in the event of a physical or technical incident.
(3)To the extent NIS2/Government Emergency Ordinance no. 155/2024 applies, AuraMed also aims to integrate business continuity, backup management, disaster recovery and crisis management measures, which form part of the minimum core of Article 21 NIS2. DNSC also publishes dedicated guidelines for disaster recovery policies in the context of Government Emergency Ordinance no. 155/2024, approved by Law no. 124/2025.

12Article 12. Management of security incidents and data breaches

(1)AuraMed maintains internal procedures for identifying, assessing, escalating, containing, investigating, remediating and documenting security incidents.
(2)AuraMed distinguishes between:
a)a cybersecurity / operational incident, which affects or may affect systems, services or business continuity; and
b)a personal data breach, within the meaning of Article 4(12) GDPR, which may involve destruction, loss, alteration, unauthorized disclosure or unauthorized access to data.
(3)In the event of a personal data breach, AuraMed applies Article 33 GDPR and notifies the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
(4)If the breach is likely to result in a high risk to the rights and freedoms of natural persons, AuraMed also communicates the incident to the data subject under Article 34(1) GDPR.
(5)Article 33(3) GDPR requires the notification to include at least the nature of the breach, the categories and approximate number of data subjects and records affected, the contact details of the contact point/DPO, the likely consequences and the measures taken or proposed; Article 33(5) also requires documentation of all breaches. ANSPDCP provides the notification form for a security breach under GDPR.

13Article 13. Cyber incident reporting to the extent NIS2 applies

(1)To the extent AuraMed falls within the scope of NIS2 and Romanian transposition legislation, significant incidents will also be managed and reported according to the applicable sectoral cybersecurity rules.
(2)Under the NIS2 framework, in-scope entities have multi-stage reporting obligations: early warning within 24 hours of becoming aware, notification within 72 hours and a final report, generally within one month.
(3)Through this Policy, AuraMed does not automatically state that it qualifies as an essential or important entity within the meaning of NIS2/Government Emergency Ordinance no. 155/2024; this qualification is analyzed separately, depending on actual activities, sector, size and applicable legal criteria.

14Article 14. User responsibilities

(1)Users of the Platform are required to use reasonably secure services and devices, protect credentials, avoid unauthorized sharing of accounts or access links and inform us without delay if they suspect unauthorized use or a vulnerability.
(2)Users must not upload malicious code, attempt to bypass security measures, perform unauthorized testing, scraping, prohibited reverse engineering, privilege-escalation attempts or any other actions likely to affect the availability, integrity or confidentiality of the Platform.
(3)AuraMed reserves the right to suspend, limit or block access in the event of activities that pose a security risk or violate the law or applicable contractual documentation.

15Article 15. Vulnerability reporting

(1)If you identify a vulnerability, abnormal behavior, insecure configuration or security incident related to the Platform, please contact us at: dev@auramed.ro.
(2)AuraMed encourages responsible and good-faith disclosure of vulnerabilities and may analyze, validate, prioritize and remediate reported issues depending on severity and impact.
(3)To the extent NIS2 applies, vulnerability handling and disclosure are among the elements expressly mentioned by the European cyber risk-management framework.

16Article 16. Review and update of the policy

(1)AuraMed may review and update this Policy for legal, technical, operational or commercial reasons.
(2)Any updated version will be published on the Platform, with the date of the last update indicated.
(3)Relevant changes may also be correlated with changes in the technical architecture, providers, data flows, GDPR obligations, the NIS2 framework or current cyber threats.

AURAMED SECURITY POLICY

1Article 1. Purpose and nature of the document

2Article 2. Relevant legal framework

3Article 3. Security principles applied by AuraMed

4Article 4. Technical and organizational measures

5Article 5. Access control and staff confidentiality

6Article 6. Secure design, development and providers

7Article 7. Health data and high level of protection

8Article 8. Records, impact assessments and governance

9Article 9. Data protection officer and security function

10Article 10. Monitoring, testing and continuous improvement

11Article 11. Business continuity, backup and disaster recovery

12Article 12. Management of security incidents and data breaches

13Article 13. Cyber incident reporting to the extent NIS2 applies

14Article 14. User responsibilities

15Article 15. Vulnerability reporting

16Article 16. Review and update of the policy

AURAMED SECURITY POLICY

1Article 1. Purpose and nature of the document

2Article 2. Relevant legal framework

3Article 3. Security principles applied by AuraMed

4Article 4. Technical and organizational measures

5Article 5. Access control and staff confidentiality

6Article 6. Secure design, development and providers

7Article 7. Health data and high level of protection

8Article 8. Records, impact assessments and governance

9Article 9. Data protection officer and security function

10Article 10. Monitoring, testing and continuous improvement

11Article 11. Business continuity, backup and disaster recovery

12Article 12. Management of security incidents and data breaches

13Article 13. Cyber incident reporting to the extent NIS2 applies

14Article 14. User responsibilities

15Article 15. Vulnerability reporting

16Article 16. Review and update of the policy