Early Access
Request early access

Security & compliance

The most secure imaging data
is the data we never keep.

Dicomly's security model starts with a simple idea: the safest place for patient data is your backend, not ours. We move the bytes and keep nothing — so there is no archive of imaging data on our side to leak, subpoena, or mismanage.

Nothing is stored — no PHI at rest

DICOM bytes stream from the sender straight through to your HTTPS endpoint and are gone. Nothing is written to disk, a queue, or a cache — not even transiently. The only thing Dicomly keeps is routing metadata and usage counters (byte counts, instance counts, timestamps). No DICOM tags, no patient identifiers.

Per-device authentication with mTLS

Every DICOM source authenticates with its own client certificate over mutual TLS. No shared secrets, no API keys handed to a PACS or modality. Revoke a single device without touching the others.

EU data residency

Infrastructure runs in the European Union. Traffic stays within EU-based facilities operated by our infrastructure provider.

A conduit, not a custodian

Because nothing is persisted, Dicomly acts as a HIPAA conduit and a GDPR processor — not a data custodian. Your backend is where the data lives; Dicomly is just the pipe between the hospital and your app.

BAA / DPA available to everyone

A Data Processing Agreement (BAA-equivalent) is available to every customer — free, click-to-sign, no plan requirement. Sign it from the console before you provision your first endpoint if your procurement requires it.

No buffering, predictable failure

If your receiver is down, Dicomly returns an error to the sender, which retries on its own schedule — exactly as the DICOM standard expects. No data is queued or held on our side, so there is no hidden store to breach.

Baselines

  • Mutual TLS (mTLS) for every sender
  • SHA-256 integrity baseline
  • ECDSA certificate keys
  • Encrypted in transit, end to end

Sub-processors

Dicomly runs on infrastructure operated by Hetzner Online GmbH in the European Union. Because no imaging data is stored, sub-processors never hold PHI at rest. The current sub-processor list is available with the DPA.

Reporting a concern

Found something, or have a security question for a procurement review? Emailinfo@dicomly.io and we'll respond quickly. A signed BAA/DPA is available before you send any real data.

Start receiving DICOM today.

Early access. No credit card. First endpoint free.

Request early accessRead the quickstart