Security & compliance
How Nebla protects patient data — across every product we build.
Every clinical record passes through a deterministic anonymizer before any AI call. Names, national IDs, dates of birth, addresses and phone numbers are replaced with stable aliases (Patient 001). The text the AI receives contains no personal data.
Nebla operates under Colombia's personal data protection regime. The hospital remains the data controller; Nebla acts as data processor. We sign a data processing agreement before any production deployment.
Every user action (login, case open, edit, approval) generates an immutable audit log entry. This lets you respond to tutelas, glosas and EPS audits with full traceability.
HS256-signed JWT, rotating refresh tokens, HttpOnly cookie storage. Password policy: 8+ characters, uppercase, lowercase and digit.
TLS in transit, encryption at rest on RDS and S3. Daily backups with contract-configurable retention.
Take 30 minutes with us. Tell us which process hurts today and we'll show you what's already in production and what's coming.