Compliance
Last Updated: February 2025
Regulatory Framework Overview
Our compliance program is designed to meet the requirements of multiple regulatory frameworks across different jurisdictions, including healthcare regulations (HIPAA, GDPR, PIPL, and local healthcare laws), medical device regulations (FDA, NMPA, CE marking requirements), data protection and privacy laws (CCPA, GDPR, PIPL), information security standards (ISO 27001, SOC 2), quality management standards (ISO 13485, ISO 9001), and industry-specific guidelines.
HIPAA Compliance (United States)
For operations in the United States, we maintain comprehensive HIPAA compliance. This includes adherence to the Privacy Rule with policies and procedures to protect Protected Health Information (PHI), and the Security Rule with administrative, physical, and technical safeguards for electronic PHI. We follow the Breach Notification Rule with procedures for timely notification in case of data breaches and execute Business Associate Agreements (BAAs) with all covered entities and subcontractors. We apply the Minimum Necessary Standard, limiting access to PHI to what is required for each function. We conduct regular HIPAA risk assessments and remediation, have designated Privacy and Security Officers, and provide annual workforce training on HIPAA requirements.
SOC 2 Type II Compliance
We maintain SOC 2 Type II certification, demonstrating our commitment to security and operational excellence. Our controls address security (systems are protected against unauthorized access), availability (systems are available for operation as committed), processing integrity (system processing is complete, accurate, and authorized), confidentiality (information designated as confidential is protected), and privacy (personal information is collected, used, retained, and disclosed in conformity with commitments). We undergo annual third-party audits by independent CPA firms and maintain continuous monitoring and control testing throughout the year.
GDPR Compliance (European Union)
For users in the European Economic Area, we comply with the General Data Protection Regulation. We ensure lawful basis for processing based on consent, contract, legal obligation, or legitimate interests. We have mechanisms to honor data subject rights including access, rectification, erasure, and portability requests. We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities and have a designated Data Protection Officer (DPO) for GDPR compliance oversight. We maintain records of processing activities for all data processing operations, implement Standard Contractual Clauses and appropriate safeguards for cross-border transfers, apply privacy by design principles in system development, and maintain 72-hour breach notification procedures for supervisory authority notification.
FDA and Medical Device Regulations
Our software and platforms comply with applicable medical device regulations including FDA 21 CFR Part 820 (Quality System Regulation for medical devices), FDA Software as a Medical Device (SaMD) guidelines, IEC 62304 (medical device software lifecycle processes), and IEC 62443 (industrial automation and control systems security). We also comply with National Medical Products Administration (NMPA) requirements in China and CE marking requirements for EU medical device compliance. We implement risk management per ISO 14971 and maintain clinical evaluation and post-market surveillance procedures.
China Data Protection (PIPL & CSL)
For operations in China, we comply with local data protection regulations including the Personal Information Protection Law (PIPL) for comprehensive personal data protection, the Cybersecurity Law (CSL) for network security and data localization requirements, and the Data Security Law (DSL) for data classification and protection measures. We adhere to healthcare data security regulations and guidelines, conduct cross-border data transfer assessments where required, and maintain local data storage and processing capabilities.
Quality Management System
Our quality management system ensures consistent delivery of safe and effective healthcare technology. We are certified to ISO 13485:2016 (Medical Devices Quality Management System) and ISO 9001:2015 (Quality Management System). Our system includes design controls and change management procedures, supplier quality management and vendor assessments, Corrective and Preventive Action (CAPA) processes, document control and records management, management review and continuous improvement, and regular internal audits and external certification audits.
Information Security Management
We maintain robust information security controls aligned with ISO 27001:2022 (Information Security Management System) and ISO 27701 (Privacy Information Management). Our technical controls include AES-256 encryption for data at rest and TLS 1.3 encryption for data in transit, multi-factor authentication (MFA) requirements, role-based access control (RBAC), and Security Information and Event Management (SIEM). We conduct regular penetration testing and vulnerability assessments and maintain 24/7 Security Operations Center (SOC) monitoring.
Business Continuity and Disaster Recovery
We maintain comprehensive business continuity plans to ensure service availability. Our Business Continuity Plan (BCP) includes defined Recovery Time Objectives (RTO), and our Disaster Recovery Plan (DRP) includes defined Recovery Point Objectives (RPO). We operate geographically distributed data centers for redundancy, implement regular backup procedures with encrypted off-site storage, and conduct annual business continuity testing and tabletop exercises. We maintain incident response procedures and escalation protocols, communication plans for stakeholder notification, and provide a 99.9% uptime Service Level Agreement (SLA).
Vendor and Third-Party Risk Management
We carefully manage risks associated with third-party vendors and service providers through due diligence assessments before vendor onboarding, security and compliance requirements in vendor contracts, regular vendor security assessments and audits, Business Associate Agreements with healthcare data vendors, data processing agreements with sub-processors, continuous monitoring of vendor security posture, vendor incident response coordination procedures, and annual vendor risk reassessments.
Employee Training and Awareness
All Suntop employees receive comprehensive compliance training including annual HIPAA privacy and security training, data protection and GDPR awareness training, information security awareness training, secure coding practices for development teams, phishing simulation and social engineering awareness, role-specific compliance training, new hire orientation on compliance requirements, and regular updates on regulatory changes and requirements.
Certifications and Attestations
We maintain the following certifications and compliance attestations: ISO 27001:2022 for Information Security Management (Certified), ISO 13485:2016 for Medical Devices Quality Management (Certified), SOC 2 Type II for Security, Availability, and Confidentiality (Attested annually), HIPAA Business Associate compliance (Self-attested with third-party assessments), GDPR data protection compliance (Self-attested with DPO oversight), CE Marking for EU Medical Device compliance where applicable, and NMPA Registration for China medical device approval where applicable.
Audit Reports and Documentation
We provide compliance documentation to qualified parties. SOC 2 Type II reports are available under NDA to enterprise customers. ISO certification documents are available upon request. We provide security questionnaire responses for vendor assessments, Data Processing Addendums (DPAs) for GDPR compliance, Business Associate Agreements (BAAs) for HIPAA compliance, and penetration test executive summaries upon request. Contact compliance@suntopai.com for documentation requests.
Incident Response
We maintain comprehensive incident response procedures including 24/7 incident detection and response capabilities, defined incident classification and severity levels, escalation procedures and communication protocols, forensic investigation and root cause analysis, breach notification within regulatory timeframes, post-incident review and lessons learned, and regular incident response drills and tabletop exercises.
Ethics and Anti-Corruption
We maintain high ethical standards in all business dealings through a Code of Business Conduct and Ethics for all employees, anti-bribery and anti-corruption policies, conflict of interest disclosure requirements, gifts and entertainment guidelines, fair competition and antitrust compliance, and whistleblower protection with anonymous reporting channels.
Reporting Compliance Concerns
If you have concerns about compliance or wish to report a potential issue, please contact us by email at compliance@suntopai.com, or use our Compliance Hotline which is available for anonymous reporting. You may also reach our Data Protection Officer at dpo@suntopai.com or report security incidents to security@suntopai.com. All reports are investigated thoroughly and confidentially, and whistleblower protections apply to good-faith reports.
Continuous Improvement
We are committed to continuous improvement of our compliance program through regular review and updates to policies and procedures, monitoring of regulatory changes and emerging requirements, feedback incorporation from audits and assessments, investment in compliance technology and automation, engagement with industry groups and regulatory bodies, and benchmarking against industry standards.
Have questions? Contact us for more information.
Contact