HealthTech software, audit-ready from version one
Zulbera builds clinical SaaS, patient-facing apps and AI-assisted clinical tooling with HIPAA, GDPR Article 9, FDA SaMD and nFADP architected in from day one. Tenant isolation that holds up to a regulator. Audit logs that match the engineering record.
Six frameworks. One technical baseline.
US-facing patient products: PHI segregation, BAA-covered infrastructure (AWS HIPAA-eligible services), access auditing and breach-notification hooks.
Special-category health data handled with explicit lawful basis, data minimisation, retention schedules and patient-facing DSAR tooling.
For Software-as-a-Medical-Device classes: design controls, traceability matrices, risk management files (ISO 14971), and audit-ready release engineering.
Class I and IIa medical-device software: technical documentation, post-market surveillance pipelines, vigilance reporting paths.
Switzerland-specific data protection — controller obligations, cross-border transfer impact assessments, data residency in CH/EU.
Software lifecycle processes for medical software — when the engagement crosses into device-grade software, the SDLC reflects it.
HealthTech product shapes we ship
Clinician dashboards & EHR-adjacent tools
Workflow software for clinicians and back-office staff. FHIR/HL7 integration with EHRs (Epic, Cerner, dedalus), role-based access, audit logging.
Patient-facing apps & portals
Telemedicine, symptom tracking, medication adherence, post-op recovery. Strong identity, consent management, accessibility-compliant UI.
Clinical SaaS platforms
Multi-tenant platforms for clinics, MSO groups, digital health startups. Tenant isolation that holds up to a HIPAA / GDPR audit.
AI-assisted clinical tooling
Triage assistants, summarisation of clinical notes, retrieval over clinical guidelines — with human-in-the-loop patterns and traceability of every model output.
Common founder questions
Are you a HIPAA-covered entity / business associate?
Zulbera is not a covered entity. We act as a development partner — we can operate as your business associate under a BAA when the engagement requires it (e.g. when we administer infrastructure that processes PHI). For most engagements we hand off operational infrastructure to your team or to BAA-covered providers (AWS, Google Cloud) and stay focused on the software itself.
Where do you host patient data?
Default: AWS in the patient population's primary jurisdiction — eu-central-1 (Frankfurt) for EU patients, eu-west-2 (London) for UK, us-east-1 or us-west-2 for US, with BAA in place. For Switzerland we default to AWS Zurich (eu-central-2) or a Swiss-sovereign cloud when nFADP residency makes it the right call. The choice is part of the architecture brief, not an afterthought.
Can you take a product through FDA SaMD or CE MDR submission?
We build the software and the technical documentation that supports the submission — design history files, risk management files, software architecture description, traceability matrix, test evidence. The regulatory submission itself is owned by your QA / regulatory lead or a specialist consultancy. We work alongside them so that the engineering record matches what regulators expect to see.
How do you handle EHR integration?
FHIR (R4) first when the EHR supports it. HL7 v2 when it does not. SMART-on-FHIR for clinician-facing apps that need to launch from inside the EHR. Where the integration partner is Epic, Cerner, Allscripts or Dedalus, we have shipped against their published integration paths and know where they bend the spec.
How long does a HealthTech MVP take?
20–28 weeks for a clinical SaaS MVP — longer than an unregulated SaaS because of the compliance scaffolding (access auditing, consent management, BAA-covered infrastructure, accessibility) that has to be in v1, not v2. A production-ready platform with full HIPAA + GDPR posture takes 10–18 months depending on regulatory scope and integration depth.
Can you build AI features over clinical data?
Yes — with explicit guardrails. We do not send PHI to general-purpose LLM endpoints in their default configuration. Architectures use either (a) BAA-covered model providers (Azure OpenAI on HIPAA-enabled subscriptions, AWS Bedrock under BAA, OpenAI Enterprise with BAA), or (b) self-hosted open-weight models on infrastructure you control. Every model output is logged, traceable to the input, and surfaced with a confidence and a human-in-the-loop step.
HealthTech engineering, in detail
Building a clinical or patient-facing product?
Tell us the patient jurisdiction, the device class (if any) and the EHRs you need to integrate with. We will respond within 2 business hours with a technical read on the architecture.
Request a HealthTech architecture call