Email
General security and compliance, BAA and DPA, responsible disclosure
security@burna.ai
Subject lines per §5 for fastest routing. PGP key available on request.
Trust Statement · Security and Compliance
The compliance framework for citation-bound oncology safety data.
Calm, declarative, procurement-friendly. Certifications Burna has not completed are not claimed. Status reflects current posture as of May 2026 and is updated as audits progress.
HIPAA aligned, BAA per engagement. SOC 2 Type II audit kicked off Q2 2026; Type I attestation available now. 21 CFR Part 11 aligned. GDPR and UK GDPR aligned; DPA pre-reviewed by EU counsel. ISO 27001 mapped, formal certification planned 2027. Eligible for the CDER Emerging Drug Safety Technology Program; EDSTP application in review.
SOC 2 Type IIAudit in flight · Q2 2026
21 CFR Part 11Aligned · validation pack ships
EDSTPApplication in review
01 / The compliance matrix
Frameworks Burna operates under, with honest status.
Status reflects current posture as of May 2026. Certifications not completed are not claimed. The full technical matrix, architectural diagrams, and procurement documentation live at /it-and-security.
Read the procurement-grade page →FrameworkStatusNotes
HIPAAAlignedBAA executed per engagement. PHI handling architecturally constrained. See §3 below.
SOC 2 Type IIIn flightAudit kicked off Q2 2026. Type I attestation available now under NDA. Type II report planned for H1 2027 once the observation window completes.
21 CFR Part 11AlignedE-signature workflow, audit trail, and validation package ship with every engagement. Part 11 has no certification body.
GDPR (EU)AlignedEU-resident deployments (Frankfurt, Dublin, Paris). DPA pre-reviewed by EU counsel.
UK GDPR / DPA 2018AlignedUK-resident deployment (London). DPA available.
ISO 27001Mapped · cert 2027Controls mapped today; inherited controls from cloud provider until certification completes.
GVP Module VI (EMA)AlignedFor pharma pharmacovigilance engagements.
PIPEDA (Canada)AlignedCanadian-resident deployment on request.
APPI (Japan)AlignedTokyo-resident deployment.
PIPA (Korea)AlignedSeoul-resident deployment.
Privacy Act (Australia)AlignedSydney-resident deployment. Notifiable Data Breaches scheme covered.
Saudi NDMO · UAE DHA · Qatar PDPPLAlignedUAE/KSA-resident deployment on request.
LGPD (Brazil)AlignedRegional deployment on request.
EU AI ActMonitoredHigh-risk provisions reviewed quarterly with EU regulatory counsel. Clinical Decision Support positioning and human-in-the-loop architecture designed for compliance.
FDA CDER EDSTPIn reviewBurna is a Clinical Decision Support Tool; not a regulated medical device.
02 / Detail by framework
The five most-asked. In honest depth.
HIPAA, SOC 2 Type II, 21 CFR Part 11, GDPR, and ISO 27001 each carry distinct evidence requirements. We treat them separately.
HIPAA
BAA per engagementBurna executes a Business Associate Agreement per engagement before any Protected Health Information is processed. PHI handling is architecturally constrained, not policy-constrained. Patient identifiers stay inside the customer's network in on-premises deployments and inside the customer's jurisdiction in regional cloud deployments. The grading model only sees de-identified clinical text. Zero PHI in logs; pre-commit hooks reject PHI at the source. Backup encryption at rest, encryption in transit, point-in-time recovery up to 30 days (operational DB) and 90 days (system snapshots). Breach notification follows the HIPAA Breach Notification Rule and regional equivalents.
SOC 2 Type II
Audit in flightSOC 2 Type II audit kicked off Q2 2026 with an independent third-party auditor. Trust Services Criteria covered: Security, Availability, Confidentiality. Initial report delivery planned for H1 2027 once the observation window completes. SOC 2 Type I attestation available now under NDA, covering the design of controls as of the attestation date. The Type II report covers operating effectiveness across the observation period. Customers running vendor due diligence before Type II completes can review the Type I attestation, the control matrix, the third-party penetration test report (annual), and the inherited control documentation from the cloud provider.
21 CFR Part 11
Aligned, validation pack shipsPart 11 has no certification body. Alignment is the accurate posture for any software vendor. Burna's electronic signature workflow meets Part 11 requirements: unique user identification, two-factor authentication, signed audit trail with timestamp and reason-for-change capture, tamper-evident record protection. Modifications to a suggested grade are logged with the original AI suggestion, the clinician's modification, the reason, and the timestamp. A 21 CFR Part 11 validation package ships with every engagement: IQ, OQ, PQ templates, system specifications, trace matrix, and a regulatory review package for engagements under formal IND or BLA.
GDPR and International Privacy
DPA pre-reviewed by EU counselEU GDPR and UK GDPR aligned. The Data Processing Agreement template, pre-reviewed by EU counsel, is a single-document download from the procurement portal, suitable for Article 28 review by the customer's Data Protection Officer. Data residency is determined by deployment mode (Frankfurt, Dublin, Paris for the EU; London for the UK). Standard Contractual Clauses available where cross-border transfers are required. International frameworks aligned: PIPEDA, APPI, PIPA, Privacy Act Australia and NDB, Saudi NDMO, UAE DHA, Qatar PDPPL, LGPD. EU AI Act monitored quarterly.
ISO 27001
Mapped today · cert 2027Burna's information security management system is mapped to ISO 27001 controls today. Formal certification is planned for 2027 once the SOC 2 Type II report has been delivered. Until certification completes, Burna operates under inherited controls from the cloud provider (which maintains ISO 27001 certification across the regions Burna deploys in) and the mapped Burna-specific controls. The control mapping documentation is available for customer review under NDA. ISO 27001 certified is not claimed today. Saying it before certification would be a misrepresentation; saying it after certification will be straightforward.
Compliance frameworks document what a system does. The architecture decides what the system can do.
03 / The posture rests on the architectureBurna AI trust statement, May 2026
Burna is a SMART on FHIR application that runs inside the customer's EHR. The engine is a twelve-agent cascading constraint pipeline. Every grade requires a source sentence in the clinical note and a matching CTCAE criterion in the retrieval index; without both, the system returns “no grade available.” Architectural constraint, not runtime filter. Two patents filed. Human-in-the-loop, always.
04 / Responsible disclosure
External security researchers welcome.
Burna does not pursue legal action against good-faith security research that follows this policy. PGP key available on request.
Findings accepted under standard responsible disclosure at security@burna.ai.
Scopeburna.ai domains and explicitly designated test environments. Production customer tenants are out of scope without their explicit authorization.
Reportingsecurity@burna.ai (PGP key available on request). Subject line: "Security Finding".
AcknowledgmentWithin 48 hours.
Resolution targetsCritical within 14 days, high within 30 days, medium within 90 days.
Public creditResearchers who report valid findings are credited publicly with their permission.
Pen test invitationEnterprise customers are invited to run a pen test against a scoped test environment before production go-live.
05 / Request compliance artifacts
What is available, how to request it.
Request via security@burna.ai with the relevant subject line below; turnaround is typically under three business days for standard packages.
06 / Reach Burna
For security and compliance.
PGP key available on request for sensitive correspondence. For procurement-grade architecture detail, the deeper page is at /it-and-security.
Calendar
CISO and General Counsel briefings
https://calendly.com/nnennaj/chat-with-nnenna-john
15-minute briefing with the Founder and CEO. The 5-page brief follows the call.