Quality & Compliance

Our Dedication to Compliance

Quality and Compliance: The Foundation of RetInSight’s Success

In the dynamic environment of high-end device development at RetInSight, quality and regulatory compliance are far more than mere checkboxes – they are the very foundation of our credibility and the driving force behind our market success.

These principles are a testament to our company’s culture and leadership values, which we integrate into all areas of our business and operations.

 

Our medical software fulfills highest quality and regulatory compliance standards: GDPR, HIPAA, GCP, MDR 2017/745, ISO 13485, ISO 27001.

EU Quality Management System Certificate MDR

RetInSight has meticulously established, documented and implemented a state-of-the-art Quality Management System, fully aligned with MDR (Regulation 2017/745 on Medical devices, Annex IX, Chapters I and III).

ISO 13485 Certification

RetInSight has successfully implemented all ISO 13485:2016 requirements, certifying our commitment to producing safe, reliable and effective medical devices that adhere to the internationally recognized gold standard of the medical device industry.

ISO 27001 Certification

RetInSight is deeply commited to safeguarding the confidentiality, integrity and availability of information and data. As an ISO 27001:2022 certified company, we ensure the seamless integration of the Information Security Management System framework into our processes.

FAQs

Which regulatory frameworks do RetInSight products comply with?

RetInSight’s AI-based medical software is certified under the European Medical Device Regulation (MDR 2017/745) as Class IIa medical devices. 
All processes follow the required regulatory guidelines for the development, validation, and lifecycle management of Software as a Medical Device (SaMD). 

Which quality management standards does RetInSight follow?

RetInSight operates under an audited ISO 13485 quality management system for medical devices. 
This includes strict controls for software development, risk management, validation, change management, and postmarket surveillance. 

How does RetInSight ensure data security and information protection?

RetInSight is certified to ISO 27001, which governs information security management. 
OCT data is pseudonymized, encrypted in transit and at rest, and processed in secure environments using restricted access rights and full audit trails. 

Is patient data stored by RetInSight?

No personally identifiable information (PII) is stored. 
All OCT images processed through RetInSight’s systems are pseudonymized before upload. 
Only the minimal data required to process and return quantitative OCT analysis results is handled. 

How is GDPR compliance ensured?

RetInSight fully complies with GDPR.
This includes: 

  • pseudonymization of patient health data 
  • encryption (AES256 at rest, TLS in transit) 
  • data minimization 
  • documented processing records 
  • accesscontrolled systems 
  • secure certified hosting environments 

How does RetInSight validate its AI algorithms?

Each AI model undergoes a rigorous, multistep validation process that includes: 

  • extensive data selection and annotation 
  • algorithm performance evaluation 
  • clinical and technical validation 
  • devicespecific validation per imaging system 

All validation activities follow MDR and ISO 13485 requirements and EU AI Act. 

Why are RetInSight’s AI solutions validated per OCT device and not device‑agnostic?

Different OCT devices generate images with different scan quality, resolution, and acquisition patterns. 
To ensure consistent performance, each algorithm is validated specifically for the OCT device it supports. 
This is also a regulatory requirement under MDR for SaMD products. 

How does RetInSight protect data during cloud processing?

All data is: 

  • encrypted endtoend 
  • pseudonymized before entering the cloud 
  • processed in certified data centers 
  • tracked with audit logs 
  • accessible only via rolebased permissions 

No raw OCT data is exposed to unauthorized parties, and no PII is processed or stored. 

How are customers supported in meeting their own compliance requirements?

RetInSight provides: 

  • Data Privacy Agreements (DPA) 
  • Security and compliance documentation 
  • Integration support 
  • Controlled user access management