ISO/IEC 27001 & TÜV-Certified Telemedicine

A doctor's office, *built for the open internet.*

Patient consultations belong in private, soundproof rooms — not in browser tabs that leak across continents. AMVLET's video infrastructure is independently audited under ISO/IEC 27001 and certified by TÜV Informationstechnik against the Trusted Site Video Consultation standard for telemedicine.

Book a clinical security briefing → Download the certification dossier
TÜV Informationstechnik certified ISO/IEC 27001:2022 — 93 Annex A controls KBV-listable under Anlage 31b BMV-Ä
93 ctrls
Annex A controls in ISO/IEC 27001:2022 audited end-to-end across the platform — organisational, people, physical, and technological.
TSVC
Trusted Site Video Consultation — TÜV Informationstechnik's dedicated certification scheme for telemedicine video infrastructure.
§31b BMV-Ä
Annex 31b to the Federal Master Agreement for Physicians — the German legal floor for any video tool used in statutory health-insurance care.
E2EE
End-to-end encryption verified under independent penetration testing — no plaintext on transit, no replayable session keys, no recoverable media.
Field report

When the consultation room moves online.

What it really takes to certify a video tool that doctors and patients can trust — and why most of the apps in everyday clinical use would not pass the audit.

A patient describes a chest pain that woke them at 3 a.m. A psychiatrist asks an adolescent how often the intrusive thoughts return. An oncologist reviews the report from yesterday's CT and explains, gently, what comes next. None of these conversations should be observable, retrievable, or replayable by anyone other than the two people in the call. And yet, almost every video tool in everyday clinical use was designed first for marketing webinars, then patched into healthcare afterwards.

For most of the past decade, telemedicine has been built on borrowed infrastructure. The pandemic pushed practitioners onto whatever consumer-grade conferencing tool worked: signing-up, joining, screen-sharing — under enormous time pressure, with no time to ask where the media servers were located, who held the encryption keys, or what happened to the recording cache when the call ended. The result is an enormous installed base of video sessions running through services that were never designed to satisfy European data protection law, and certainly not designed for the asymmetric trust relationship between a doctor and a patient.

Germany's regulators noticed early. In Annex 31b to the Bundesmantelvertrag-Ärzte — the Federal Master Agreement that governs how statutory health-insurance physicians may treat their patients — the National Association of Statutory Health Insurance Physicians (KBV) wrote down a precise, technical, and unforgiving definition of what a permissible video consultation tool actually has to do. Any provider that wishes to be listed by the KBV as a certified video service must obtain two independent attestations: one for data protection and one for information security. There is no halfway grade. There is no self-assessment. The audit is done by a recognised independent body — and in practice, the most rigorous of these is TÜV Informationstechnik (TÜVIT).

Two attestations, one architecture

The data-protection half of the certification is performed under Article 42 of the GDPR, the article that authorises formal certification mechanisms as a means of demonstrating compliance. Auditors examine the entire processing chain: the lawful basis for each operation, the principles of purpose limitation and minimisation, the security of processing under Article 32, the documentation of every processor and sub-processor, and the operational reality of fulfilling data subject rights — access, rectification, erasure, portability, and objection. This is not a paper review. The auditors look at the actual deployment, the actual configuration, and the actual logs.

The information-security half is harder still. Auditors begin with a penetration test against the live infrastructure — probing for unauthenticated endpoints, misconfigured TURN relays, replayable session tokens, weak ciphers, and the long tail of media-handling flaws specific to WebRTC stacks. Once the penetration phase is closed out, the engagement moves to Trusted Site Video Consultation (TSVC), TÜVIT's purpose-built certification scheme for telemedicine. TSVC inspects the technical and organisational controls around the call itself: how media is transported, how it is encrypted, whether anything is persisted to disk in violation of the specification, whether any operator — including the platform vendor — could read or replay an in-flight conversation, and how the system behaves when something fails.

The certification confirms what most clinicians already suspect: a video tool is not safe simply because it works. It is safe when an independent laboratory has tried to break it, watched it under load, read its source documentation, and signed a certificate against a published standard.

— AMVLET Clinical Security Practice

Why ISO 27001 is the load-bearing wall

Underneath both attestations sits the international standard for information security management: ISO/IEC 27001:2022. Telemedicine certification verifies a single application against a specific use case. ISO 27001 verifies the entire organisation — the policies that govern how the application is built, the controls that protect the people who run it, the supply chain that feeds into it, and the incident response capability that activates when something goes wrong. The 2022 revision of the standard reorganised Annex A into 93 controls across four domains: organisational, people, physical, and technological. AMVLET is audited against all of them.

The combination matters. ISO 27001 without telemedicine certification is a generic information-security claim. Telemedicine certification without ISO 27001 is a single-product attestation that says nothing about whether the company behind it can sustain that posture beyond the certification window. The two together — independent ISMS certification from one auditor, video-specific certification from another, both maintained on a continuous surveillance cycle — is what regulators are actually asking for when they require "verifiable security." Anything less is a marketing claim with a logo on it.

What the audit actually looked for

The certification scope was the AMVLET video subsystem in its standard deployment configuration: end-to-end encrypted media between authenticated session participants, federated server topology with EU-resident infrastructure, no third-country routing, no plaintext recording paths, and the full administrative console used by clinical operators. Auditors verified that the platform's encryption implementation does not retain key material beyond the lifetime of a session, that no platform operator — at any privilege level — can attach an observer to an in-flight call, and that all media is purged from cache at session termination. Penetration tests were run against the publicly reachable surface and against the internal trust boundary; both phases closed without findings of high or critical severity.

For practitioners, the practical effect is straightforward. A video consultation conducted on AMVLET satisfies the technical requirements of Annex 31b BMV-Ä for German statutory health-insurance care, the security requirements of Article 32 GDPR for any EU member state, and — under the certification mechanism of Article 42 — provides a presumption of compliance that supervisory authorities can recognise without re-auditing every deployment. For everyone else: it is the same standard your colleagues will eventually be required to meet. We chose to meet it now.

Two certifications, one platform

ISO/IEC 27001 secures the organisation. TSVC secures the call.

The two standards interlock: one certifies that AMVLET as a company runs a tested information security management system; the other certifies that the specific telemedicine video infrastructure has been broken-and-fixed to a published clinical-grade specification.

ISO/IEC 27001:2022

The international ISMS standard

The 2022 revision is the working baseline for information security management worldwide. It requires a documented Information Security Management System, a current Statement of Applicability, evidence of operating effectiveness across 93 Annex A controls, and a continuous surveillance cycle with annual recertification audits.

Annex A.5 — Organisational: 37 controls covering policies, roles, segregation of duties, supplier relationships, and information classification.

Annex A.6 — People: 8 controls covering background screening, training, disciplinary process, and remote-working obligations.

Annex A.7 — Physical: 14 controls covering physical entry, equipment security, secure disposal, and environmental protection.

Annex A.8 — Technological: 34 controls covering cryptography, network security, secure development, and continuous logging and monitoring.

TSVC — Trusted Site Video Consultation

TÜVIT's telemedicine framework

TSVC is the dedicated certification scheme operated by TÜV Informationstechnik for video consultation infrastructure. It defines the test methodology, the in-scope controls, and the evidence requirements specific to a clinician-patient video session — the layer of detail that ISO 27001 deliberately leaves to sector-specific schemes.

Penetration testing: live testing of the public attack surface and internal trust boundary, with all high- and critical-severity findings remediated before certificate issue.

Transmission & encryption: verification that media in transit is encrypted with current ciphers, that key material is not retained, and that no operator can attach to an in-flight session.

Storage prohibition: verification that no media is written to persistent storage in violation of the specification — including operator caches, debug logs, and recovery snapshots.

KBV listability: the TSVC certificate, paired with the GDPR Art. 42 attestation, satisfies the technical preconditions to be listed by the National Association of Statutory Health Insurance Physicians.

Audit-to-architecture mapping

What auditors looked at, and what they found.

Selected mappings from the joint ISO 27001 + TSVC scope to the AMVLET deployment under audit. The full Statement of Applicability and certification dossier are available under NDA from the compliance team.

Reference
Auditor question
How AMVLET answers it
Status
A.5.23
Information security for use of cloud services
Self-hostable architecture eliminates implicit cloud-service trust. Where cloud is used, contractual controls and cryptographic separation are documented per tenant.
✓ Verified
A.8.24
Use of cryptography
End-to-end encryption on every channel — messages, media, and file transfer. Open-source Rust implementation independently auditable by the customer's own security team.
✓ Verified
A.8.28
Secure coding
Memory-safe language for the cryptographic core, mandatory peer review on all merges, automated SAST/DAST in the build pipeline, signed reproducible release artefacts.
✓ Verified
TSVC §3
Penetration testing of the live video plane
External and internal pentest cycles; closure of all high/critical findings before certificate issue; re-test on every major release.
✓ Verified
TSVC §4
Transmission, encryption, and key handling
DTLS-SRTP for media; perfect forward secrecy on every session; ephemeral key material with no server-side retention beyond call lifetime.
✓ Verified
TSVC §5
Prohibition on unauthorised storage of session content
No media path to persistent storage in the certified configuration; cache purge at session termination; debug logs scrubbed of media payloads by construction.
✓ Verified
DSGVO §32
Security of processing — confidentiality, integrity, availability, resilience
E2EE (pseudonymisation + encryption), self-hosted resilience, role-based access control. ISO 27001 + TSVC together provide the certification mechanism contemplated by Art. 42.
✓ Verified
Annex A — Control families

The 93 controls behind a single certified call.

A subset of the ISO/IEC 27001:2022 Annex A controls that are most directly load-bearing for a clinician-patient video consultation. Every control is tested for design and operating effectiveness on the surveillance cycle.

A.5.7

Threat intelligence

Continuous collection and analysis of threats to the platform — including telemedicine-specific attacker patterns observed across the federated network.

A.5.30

ICT readiness for business continuity

The certified configuration survives the loss of any single node without breaking active sessions — a working precondition for clinical reliance on the platform.

A.5.34

Privacy and protection of PII

The platform treats every conversation as personal data of the highest sensitivity. Article 9 special-category data is the assumed default, not a configuration toggle.

A.6.3

Information security awareness, education, and training

Clinical operator training is delivered as part of every deployment — covering session hygiene, identity verification, and the limits of the certified configuration.

A.8.9

Configuration management

The certified configuration is published, versioned, and verifiable. A deployment that drifts from it loses its claim to the certification — and the operator gets a warning.

A.8.16

Monitoring activities

All control-plane activity is logged for the operator's own review — never for the vendor's. Audit trails are signed, append-only, and reviewable by external auditors.

A.8.25

Secure development life cycle

Secure-by-default architecture, threat modelling on every major feature, mandatory pentests on the video subsystem before any change is shipped to the certified channel.

A.8.30

Outsourced development

Where any component is built outside the company, the supply chain is contractually bound to the same controls — and the binaries are reproducible and signed.

A.8.34

Protection of information systems during audit testing

Auditor-side handling of all evidence, including pentest artefacts, is governed by a documented procedure that mirrors the requirements applied to the production system.

Telemedicine in practice

The conversation is the patient record.

Most healthcare data-protection thinking is still organised around stored documents — the imaging file, the pathology report, the prescription. A video consultation breaks that mental model. The conversation itself is the record. What the patient says, what the clinician observes, the silence that says more than the words: all of it is medical data, all of it is special-category personal data under Article 9 GDPR, and all of it is exposed if the call is exposed.

A certified video plane is not a feature you can switch on. It is an architecture that has been examined, broken, repaired, documented, and re-examined under independent supervision. It is what your supervisory authority will eventually expect from you, and what your patients have already started asking about by name.

For practitioners using AMVLET, the certification is not a notice in a sidebar — it is the operating boundary of the platform. The certified configuration is the default. Drift away from it and the platform will tell you, in writing, that you have left certified scope. There is no quiet downgrade.

Identity bound to session

Both participants are cryptographically authenticated on join. No "join via link" with an unverified counterparty.

No vendor-side observer

The platform operator — at any privilege level — cannot attach a silent observer to an active call. The certificate verifies the constraint.

EU-resident media plane

Media never traverses third-country infrastructure in the certified configuration. The deployment topology is part of the audited scope.

Continuous surveillance

The certificate is not a one-time stamp. ISO 27001 surveillance audits run annually, with full recertification on a three-year cycle and TSVC re-tests on every major release.

Patient-facing transparency

Patients see the certificate references in the consent screen — the same way they see the practice's BÄK registration. They learn to ask about it.

Clinical use cases

Where the certification actually earns its keep.

Six representative scenarios in which the combined ISO 27001 + TSVC posture is not a marketing line but the deciding technical control.

General practice video consultations

Routine GP follow-ups, prescription reviews, and triage calls — the everyday telemedicine load that has to remain fully Annex 31b BMV-Ä compliant.

Specialist tele-consultations

Cardiology, dermatology, oncology imaging review — high-acuity sessions where the clinician's screen-share and the patient's video must remain end-to-end encrypted.

Mental health & psychotherapy

Sessions where the patient's willingness to speak depends entirely on knowing — and being shown — that no third party is on the line.

Multi-disciplinary case conferences

Tumour boards, complex-case rounds, and inter-hospital handovers — multi-party calls where every participant must be identity-bound and every recording prohibited.

Cross-border consultations within the EU

Specialist input from another member state without leaving EU residency — the federation keeps both sides in jurisdiction and within Article 32 GDPR scope.

Public-health & pandemic readiness

Surge capacity for population-scale tele-triage that does not depend on a non-EU vendor's terms of service to remain operational on the day it is needed.

Regulator-facing evidence packs

When a supervisory authority asks how Article 32 is satisfied, the answer is a certificate number and a dossier — not a meeting and a slide deck.

Clinical research with human subjects

Investigator-subject interviews and consent calls in regulated trials, where the chain of custody on the conversation is part of the regulatory submission.

Compliance interlocks

One platform, one set of evidence, every regime.

The same audited posture answers questions across every regulatory frame your legal team is asked about. There is no separate "compliance configuration" — the certified configuration is the default.

ISO/IEC 27001:2022

The international ISMS baseline

Independent third-party certification of the management system that produces and operates the platform — covering 93 Annex A controls across organisational, people, physical, and technological domains.

TSVC by TÜVIT

Trusted Site Video Consultation

TÜV Informationstechnik's dedicated telemedicine certification — penetration-tested, transmission-verified, and storage-prohibited. The technical floor for KBV listability under Anlage 31b BMV-Ä.

GDPR Art. 42

Certification mechanism

The two certificates together are the kind of formal certification mechanism that Article 42 GDPR contemplates as evidence of compliance — recognised by EU supervisory authorities under the consistency mechanism.

GDPR Art. 32

Security of processing

Encryption, pseudonymisation, ongoing confidentiality, integrity, availability, and resilience of processing systems — all evidenced by the underlying ISO 27001 audit and the TSVC pentest dossier.

SoA published

Statement of Applicability

The full Statement of Applicability — every Annex A control, its implementation status, and the evidence supporting it — is provided to customers under NDA as part of the deployment package.

Surveillance

Continuous, not one-shot

Annual ISO 27001 surveillance audits, full recertification every three years, and TSVC re-test on every major release of the video subsystem. The certificate window never ages without active maintenance.

Questions

Frequently asked.

Specific answers to the questions clinical IT leads, hospital DPOs, and procurement officers ask most often.

Who issues the certifications, and for what scope?+
The information security management system is certified to ISO/IEC 27001:2022 by an accredited certification body, with full Annex A control coverage and an annual surveillance cycle. The telemedicine video infrastructure is certified by TÜV Informationstechnik (TÜVIT) under its Trusted Site Video Consultation (TSVC) scheme, which combines penetration testing with controls-based verification of transmission, encryption, and storage. The two certificates are scoped to interlock: ISO 27001 covers the organisation that builds and operates the platform; TSVC covers the specific video subsystem in its certified deployment configuration.
Does the certification automatically make us KBV-listable?+
The certification satisfies the technical preconditions of Annex 31b to the Bundesmantelvertrag-Ärzte that an independent provider can be expected to satisfy. KBV listing also requires that your deployment is configured to remain inside the certified scope, and that your organisation provides the procedural and contractual elements of the listing dossier. The compliance team provides the technical evidence pack — including certificate references, scope statement, and Statement of Applicability extracts — that you can submit alongside your application.
What did the penetration test actually look at, and can we see the report?+
The pentest covered the publicly reachable attack surface of the video plane, the authenticated session-establishment flow, the federated server-to-server boundary, and the administrative console. Tests included unauthenticated endpoint discovery, session-token replay, signalling-layer abuse, media-path tampering, and TURN-relay misconfiguration. All high- and critical-severity findings were closed before the certificate was issued; the closure evidence is available under NDA. We do not publish the unredacted pentest report — that would itself be an Annex A.5.30 violation — but we provide the executive summary and remediation log to customer security teams under a mutual NDA.
How does ISO 27001 relate to GDPR Article 42 certification?+
Article 42 GDPR contemplates approved certification mechanisms as a means of demonstrating compliance with key articles of the regulation, particularly Article 32 on security of processing. ISO 27001 is the most widely recognised international ISMS standard and is treated as load-bearing evidence by supervisory authorities. TSVC adds the sector-specific telemedicine layer that ISO 27001 deliberately leaves open. Together, they form the kind of evidence pack that an Article 42 review will accept without needing to re-examine each customer deployment from scratch.
If we deploy AMVLET self-hosted, does the certification still apply?+
Yes — provided you remain inside the certified configuration. The certification scope explicitly covers the standard self-hosted topology, because that is how a sovereign deployment is supposed to work. The platform actively monitors your deployment for drift from the certified configuration: if you change a setting that takes you outside scope, you will see a written warning in the administrative console identifying the specific control affected. You retain the choice; the platform refuses to lie about it on your behalf.
Can the platform vendor read or replay our consultations?+
No. The constraint is verified directly by the TSVC audit: no operator at any privilege level can attach a silent observer to an in-flight session, and no media path writes to persistent storage in the certified configuration. End-to-end encryption is implemented in a memory-safe Rust core, with ephemeral key material that is not retained beyond the lifetime of the session. The cryptographic implementation is open source and independently auditable by your own security team — the certification is not a substitute for verification, it is an invitation to it.
How often is the certification renewed, and what happens if a finding emerges between audits?+
ISO 27001 runs on an annual surveillance cycle with full recertification every three years. TSVC re-testing is performed on every major release of the video subsystem and on a defined recurring cadence. If a high- or critical-severity finding emerges between audits — whether from internal testing, customer disclosure, or external research — the standard incident-handling procedure under Annex A.5.24 and A.5.26 applies: triage, containment, remediation, lessons-learned, and notification of customers and the certifying body where the finding affects the certified scope. Certificates can be suspended; that is part of the discipline.

The certificate is not the point. Trust is.

Book a private briefing with our compliance team. We will walk through the ISO 27001 Statement of Applicability, the TSVC certification scope, and the evidence your DPO and clinical IT lead will need to deploy AMVLET as your video consultation backbone.

Book a clinical security briefing → Download the certification dossier