MYCURE Logo
MYCURE
Back to Home

Security Overview

MYCURE is designed to support healthcare organizations that handle sensitive clinic, patient, operational, and administrative data.

Operated by TOPSI Inc. (“MYCURE,” “we,” “us,” or “our”)

Security is a shared responsibility between MYCURE and each Customer. MYCURE is responsible for providing reasonable safeguards for the platform and services we operate. Customers are responsible for managing their own users, devices, permissions, workflows, and internal compliance obligations.

This Security Overview summarizes our general approach to security. It is not a complete description of all controls, does not create a service level commitment, and does not replace the MYCURE Terms of Agreement, Privacy Policy, Data Processing Addendum, Business Associate Agreement, Service Level Agreement, or other written agreement, where applicable.

1. Security Principles

MYCURE’s security approach is guided by the following principles:

  • protect patient and clinic data;
  • limit access based on role and need;
  • support auditability and accountability;
  • reduce operational and privacy risks;
  • apply safeguards appropriate to healthcare workflows;
  • support Customer compliance obligations where applicable;
  • maintain reasonable technical, administrative, and organizational controls; and
  • continuously improve security practices as the platform evolves.

2. Shared Responsibility

MYCURE provides security controls designed to protect the Services. However, security also depends on how each Customer configures and uses the platform.

MYCURE is generally responsible for:

  • platform-level security controls;
  • infrastructure and application safeguards for MYCURE-hosted services;
  • access controls for MYCURE personnel;
  • system monitoring and maintenance;
  • security updates and improvements;
  • reasonable backup and recovery practices;
  • support access controls;
  • incident response procedures; and
  • vendor and service provider safeguards.

Customers are generally responsible for:

  • assigning proper user roles and permissions;
  • removing access for former staff or unauthorized users;
  • protecting passwords and login credentials;
  • enabling multi-factor authentication where available;
  • securing devices, browsers, networks, and endpoints used to access MYCURE;
  • training staff on privacy, security, and proper system use;
  • reviewing audit logs or access activity where available;
  • configuring workflows, templates, and patient access appropriately;
  • obtaining required patient consents and authorizations;
  • complying with medical recordkeeping and healthcare regulations; and
  • maintaining backup clinical workflows where appropriate.

3. Data Protection

MYCURE applies reasonable safeguards designed to protect personal data, patient data, and clinic information processed through the Services.

Depending on the deployment model and enabled services, safeguards may include:

  • encryption for data in transit;
  • encryption or equivalent safeguards for stored sensitive data where appropriate;
  • role-based access controls;
  • user authentication;
  • audit logs or activity records;
  • secure backup practices;
  • access monitoring;
  • secure configuration practices;
  • administrative access controls; and
  • internal policies governing employee and support access.

No system, software, network, or storage method can be guaranteed to be completely secure. MYCURE continuously works to improve its safeguards, but Customers should maintain their own operational, technical, and compliance controls.

4. Access Controls

MYCURE supports access controls intended to help Customers manage who may access information within the platform.

Depending on the Customer’s configuration and enabled modules, access controls may include:

  • user accounts;
  • role-based permissions;
  • administrator controls;
  • account-level settings;
  • staff access management;
  • authentication requirements;
  • session controls;
  • activity tracking; and
  • access restrictions by function or module.

Customers are responsible for assigning appropriate roles and permissions and for promptly disabling access when a user is no longer authorized.

5. Multi-Factor Authentication and Account Security

Where available, Customers should enable and use multi-factor authentication or similar security features.

Customers and users are responsible for:

  • keeping login credentials confidential;
  • using strong and unique passwords;
  • not sharing accounts;
  • reporting suspected unauthorized access promptly;
  • securing devices used to access the Services;
  • reviewing user access regularly; and
  • following Customer internal security policies.

MYCURE may suspend or restrict accounts where we detect or reasonably suspect unauthorized access, credential compromise, abuse, or security risk.

6. Auditability and Activity Records

MYCURE is designed to support accountability in healthcare workflows.

Depending on the enabled modules and configuration, the Services may record activity such as:

  • user access;
  • changes to records;
  • login activity;
  • administrative actions;
  • system events;
  • support activity; and
  • other relevant operational events.

Auditability features are intended to support Customer oversight, investigation, security monitoring, and compliance workflows. Customers remain responsible for reviewing and using available logs appropriately.

7. Support Access

MYCURE support personnel may access Customer accounts or Customer Data only where reasonably necessary to provide, maintain, secure, troubleshoot, improve, or support the Services; investigate suspected abuse, security issues, or technical problems; comply with law; or perform obligations under an applicable agreement.

Support access is intended to be limited to authorized personnel and appropriate purposes.

Customers should avoid sending unnecessary patient data through unsecured support channels. Where support requires review of specific records or screenshots, Customers should share only what is reasonably necessary for the support request.

8. Hosting and Deployment

MYCURE may support different deployment models depending on the Customer’s plan and written agreement, including MYCURE-hosted cloud services, private cloud arrangements, client-hosted environments, or other deployment models.

For MYCURE-hosted services, MYCURE is generally responsible for platform-level hosting safeguards within the scope of the services we operate.

For client-hosted, private cloud, or customer-managed deployments, responsibility for infrastructure, network, environment security, backup configuration, and operational controls may be shared or assigned differently under the applicable Order Form, Statement of Work, Service Level Agreement, or Security Addendum.

Customers should confirm the applicable deployment model and responsibility allocation before using the Services for regulated workloads.

9. Backups, Recovery, and Availability

MYCURE maintains reasonable backup and recovery practices for MYCURE-hosted services, subject to the applicable plan, deployment model, and written agreement.

Backups are intended to support service continuity and recovery from operational issues. They are not a substitute for Customer recordkeeping, export, compliance, or business continuity obligations.

Unless expressly stated in a Service Level Agreement or other written agreement, MYCURE does not guarantee any specific uptime, recovery time objective, recovery point objective, backup retention period, or service availability level.

Customers should maintain appropriate downtime procedures, emergency workflows, and backup clinical processes.

10. Secure Development and Maintenance

MYCURE works to maintain and improve the security of its software and services.

Our development and maintenance practices may include:

  • code review;
  • testing;
  • access control for development systems;
  • issue tracking;
  • vulnerability review;
  • dependency updates;
  • change management;
  • monitoring of production systems;
  • patching and maintenance; and
  • continuous improvement of security practices.

Security practices may evolve as the Services, technology, regulatory expectations, and Customer needs change.

11. Vendors and Service Providers

MYCURE may use trusted vendors, service providers, and subprocessors to provide, host, secure, support, monitor, and improve the Services.

These may include providers for:

  • cloud hosting and infrastructure;
  • data storage and backups;
  • email and SMS communications;
  • payment processing;
  • security monitoring;
  • analytics and performance monitoring;
  • support tools;
  • implementation services; and
  • other operational needs.

MYCURE requires service providers that process personal data on our behalf to apply appropriate confidentiality, security, and data protection obligations.

A public subprocessor list may be made available separately and updated from time to time. See our Subprocessor List.

12. Incident Response

MYCURE maintains processes designed to identify, investigate, respond to, and mitigate security incidents.

If MYCURE becomes aware of a security incident involving Customer Data that requires notification under applicable law or agreement, MYCURE will notify affected Customers without undue delay and in accordance with applicable legal or contractual requirements.

Customers may have their own obligations to notify patients, regulators, payors, partners, or other third parties depending on applicable law and the nature of the incident.

13. Privacy and Compliance Support

MYCURE is designed to support healthcare organizations in operating secure and compliant clinic workflows. However, privacy, healthcare, consumer protection, medical record, telehealth, and technology laws vary by jurisdiction and by use case.

Customers are responsible for determining whether their use of the Services complies with laws and regulations applicable to their organization, personnel, patients, and location.

Where specific legal frameworks require additional contractual terms, such as a Data Processing Addendum or Business Associate Agreement, those terms must be separately agreed in writing before the Services are used for that regulated purpose.

14. Patient Data and Clinical Responsibility

MYCURE provides software tools. MYCURE is not a healthcare provider and does not make clinical decisions.

Customers and their licensed healthcare professionals are responsible for:

  • clinical judgment;
  • patient care;
  • medical documentation;
  • treatment decisions;
  • prescriptions and orders;
  • patient communications;
  • medical record retention;
  • consent and authorization;
  • regulatory reporting; and
  • professional compliance.

MYCURE’s security controls are intended to support the platform, but they do not replace Customer clinical, operational, legal, or professional responsibilities.

15. Enterprise Security Requests

Enterprise Customers may request additional security documentation as part of procurement, contracting, or compliance review.

Depending on the nature of the request and applicable commercial terms, MYCURE may provide:

  • security questionnaires;
  • data protection documentation;
  • deployment responsibility summaries;
  • subprocessor information;
  • incident response summaries;
  • service level terms;
  • security addenda;
  • business associate agreements, where applicable; or
  • other documentation reasonably appropriate for the engagement.

Some security details may be confidential and may require a nondisclosure agreement before disclosure.

16. Reporting Security Concerns

If you believe you have identified a security issue involving MYCURE, please contact us promptly.

Security and Support Contact
Email: support@mycure.md

For privacy-related matters, please contact:

Data Protection Officer
Email: dpo@mycure.md

Please do not include unnecessary patient data, passwords, credentials, or sensitive screenshots in unsecured communications.