Built around local AI
Most cloud-AI products are architecturally required to send data to someone else’s servers. JamEMR is built the other way around: clinical AI inference runs on dedicated GPU hardware inside the deployment environment. That choice defines the rest of the infrastructure — the systems that hold PHI are the systems the practice’s deployment already contains.
What is in place today
Compute and AI processing
- Clinical AI (ambient transcription, clinical language-model processing) runs on dedicated local GPU hardware inside the deployment environment. PHI is not sent to third-party consumer AI clouds for clinical AI processing.
- Services authenticate to each other with registered, revocable API tokens — internal traffic is authenticated, not merely trusted.
Data protection
- TLS encrypts data in transit on exposed interfaces.
- Data at rest is protected with disk-level encryption, configured and verified per deployment (see Encryption for how we describe this carefully).
Change discipline
- Database schema changes ship exclusively as versioned, reviewed migrations. The schema has a reviewable history, and environments stay consistent by construction.
- Privileged operational changes are approval-gated: a human explicitly approves before a privileged change takes effect.
Pilot posture
- Pilot deployments run on synthetic (non-real-patient) data until a practice’s compliance prerequisites are complete. Infrastructure is proven before PHI arrives, not after.
Public website
- The public jamemr.com website (which holds no PHI) is served through a commercial CDN/DNS provider — see Subprocessors. Clinical systems are separate from the public website.
On our roadmap
- Formal, SLA-backed disaster-recovery commitments are in development. Today: scheduled backups run, and restore procedures are being formalized — see Disaster Recovery for the honest current state.
- Third-party penetration testing of the infrastructure before general availability.
- Documented infrastructure and operations policy pack, in progress.
- SOC 2 Type II examination, planned, not started — we do not claim SOC 2 compliance.
Deployment questions
Infrastructure details vary by deployment, and we document each deployment’s configuration for the practice’s compliance review. To discuss requirements for a prospective deployment, contact [email protected] or [email protected].