We're on Medica 2023, come say "hi" and connect in Hall 12, Booth E53-03!

Back to blog

ISO 13485 vs. ISO 9001 - A Comparison Panel

Quality management systems (QMS) are essential for organizations across various industries to ensure product and service quality, compliance with regulations, and customer satisfaction.

Two prominent international standards that address quality management are ISO 9001 and ISO 13485.

While both standards aim to enhance quality, they serve different purposes and cater to distinct sectors. In this extensive comparison panel, we will delve into the key differences and similarities between ISO 9001 and ISO 13485, shedding light on their applications, requirements, and benefits.

post illustration

Understanding ISO Standards

ISO 9001: The Universal QMS Standard

ISO 9001, officially known as “ISO 9001: Quality Management Systems - Requirements”, stands as the pinnacle of global recognition when it comes to quality management standards. This internationally acknowledged framework, established by the International Organization for Standardization (or ISO), plays a pivotal role in guiding organizations, regardless of their industry or size, in developing, implementing, and sustaining an efficient and effective QMS.

At its core, ISO 9001 essentially revolves around one objective: elevating customer satisfaction by consistently meeting their requirements and relentlessly improving operational processes. It’s not confined to any specific industry, making it truly universal and adaptable.

This adaptability makes ISO 9001 an invaluable tool for organizations across sectors and geographies.

Key Principles of ISO 9001:

  • Process-Based Management: ISO 9001 places a strong emphasis on a process-oriented approach to management. This means organizations are encouraged to view their operations as a series of interconnected processes, each contributing to the overall efficiency and quality of the product or service. By analyzing and optimizing these processes, organizations can enhance their performance and deliver consistent results.
  • Customer Focus: ISO 9001 places customers at the center of its philosophy. Meeting and exceeding customer expectations is a core goal. This not only involves understanding customer needs but also actively seeking feedback and using it to drive improvements. By maintaining a customer-centric approach, organizations can build trust and loyalty among their clientele.
  • Leadership Involvement: Effective leadership is a critical component of ISO 9001. Leaders within the organization are expected to provide clear direction, establish a culture of quality, and actively engage in the QMS implementation. Their commitment and support are essential in ensuring that quality objectives are met and sustained.
  • Data-Driven Decision-Making: ISO 9001 emphasizes the importance of data and evidence-based decision-making. Organizations are encouraged to collect and analyze data related to their processes and performance. This data-driven approach allows for informed decision-making, helping organizations identify areas for improvement and make changes that lead to greater efficiency and quality.

In essence, ISO 9001 stands as a shining example of excellence in quality management that knows no boundaries or industry restrictions. It equips organizations with the tools to create a structured and systematic approach to quality, leading to ongoing improvements, delighted customers, and sustained success. By embracing the principles of ISO 9001, organizations not only meet international standards but also position themselves for success in today’s competitive, customer-centric business world.

ISO 13485: Quality Management for Medical Devices

ISO 13485, formally known as “ISO 13485: Medical Devices - Quality Management Systems - Requirements for Regulatory Purposes,” stands as a highly specialized standard tailored exclusively for organizations engaged in the intricate realms of medical device production, distribution, and servicing.

Published by the International Organization for Standardization (ISO), this standard not only sets the benchmarks for excellence but also serves as the cornerstone for compliance with stringent regulatory bodies such as the U.S. FDA and the European Union’s MDR.

The significance of ISO 13485 is rooted in its unwavering dedication to safeguarding the well-being of patients and healthcare practitioners. Here, we delve into the core tenets of ISO 13485 and explore why it is indispensable for those navigating the complex landscape of medical devices:

  • Product Safety at the Forefront: ISO 13485 places an unshakable emphasis on the paramount importance of product safety. Given the critical role medical devices play in healthcare, this standard sets rigorous criteria to ensure that every aspect of design, production, and distribution prioritizes the safety of patients and users. This focus extends to risk management, where potential hazards are assessed and mitigated to prevent harm.
  • Regulatory Compliance as a Cornerstone: In the realm of medical devices, adherence to regulations is non-negotiable. ISO 13485 aligns seamlessly with the requirements of regulatory authorities worldwide. It provides a robust framework to ensure that organizations meet and exceed the regulatory expectations and legal obligations specific to medical devices. This alignment simplifies the process of obtaining necessary approvals, including CE marking in Europe or FDA clearance in the United States.
  • Holistic Quality Management Systems: ISO 13485 mandates the establishment and maintenance of comprehensive QMS that are specially tailored for the unique challenges of the medical device industry. These systems encompass every facet of an organization’s operations, from design and development to manufacturing, testing, and post-market surveillance. The standard provides a systematic approach to quality assurance, emphasizing the consistency and traceability of processes.
  • Continuous Improvement: Beyond compliance and safety, ISO 13485 promotes a culture of continuous improvement. Organizations are encouraged to monitor and evaluate their QMS regularly. By analyzing data, soliciting feedback from users and stakeholders, and conducting internal audits, they can identify opportunities for refinement and enhancement, ensuring that their products and processes evolve in tandem with technological advancements and changing healthcare needs.

In conclusion, ISO 13485 epitomizes the pinnacle of quality management for the medical device industry. It offers a robust foundation upon which organizations can build their commitment to patient safety, regulatory compliance, and operational excellence.

By adhering to the principles and standards set forth in ISO 13485, organizations can not only thrive in the highly regulated medical device sector but also contribute to the betterment of healthcare worldwide by delivering reliable, safe, and effective medical devices.

Key Differences

When comparing ISO 9001 and ISO 13485, it becomes evident that these standards are tailored to different industries and have distinct emphases. Let’s dive deeper into their key differences.

Industry Focus

  • ISO 9001: ISO 9001 serves as a generic standard with broad applicability. It extends its reach across a wide spectrum of industries, spanning manufacturing, services, education, finance, and many more.

The central objective of ISO 9001 is to bolster the overall quality and enhance customer satisfaction. It provides a versatile framework for organizations to develop quality management systems, fostering operational excellence and customer-centric approaches.

  • ISO 13485: In stark contrast, ISO 13485 is a specialized standard exclusively designed for the medical device industry.

This standard addresses the intricate challenges, nuances, and regulatory requirements inherent to the design, production, and distribution of medical devices. Compliance with ISO 13485 is often a legal mandate for medical device manufacturers, ensuring that products are developed and distributed with the utmost safety and effectiveness in mind.

Regulatory Requirements

  • ISO 9001: ISO 9001 serves as a foundation for organizations to demonstrate their dedication to quality, but it refrains from specifying detailed regulatory requirements. Instead, it adopts a flexible approach to implementation, permitting organizations to adapt their Quality Management Systems according to their unique needs and contextual factors. ISO 9001 encourages a proactive stance towards quality but leaves room for adaptation.

  • ISO 13485: ISO 13485 embeds more rigorous and specific regulatory requirements, especially geared towards the medical device industry. It aligns with regulatory frameworks like the FDA’s Quality System Regulation and the European Medical Device Regulation. For organizations in this sector, ISO 13485 compliance is not just a matter of best practice but a mandatory step for legal compliance, ensuring that medical devices meet the highest standards of quality and safety.

Risk Management

  • ISO 9001: While risk management is indeed important within ISO 9001, its emphasis is more generalized. It encourages organizations to identify, assess, and manage risks to improve overall efficiency and effectiveness.

The focus extends beyond product safety and regulatory compliance, aiming to enhance operational performance across various industries.

  • ISO 13485: ISO 13485 places a strong focus on risk management due to the critical nature of medical devices. This standard necessitates organizations to meticulously identify, assess, and mitigate risks associated with both their products and the processes involved in their creation.

This approach ensures that medical device manufacturers prioritize the safety of patients and users, as well as compliance with stringent regulatory requirements.

Thus, ISO 9001 and ISO 13485 represent two distinct approaches to quality management tailored for different sectors.

ISO 9001 offers versatility and broad scope, fostering quality and customer satisfaction across diverse industries.

In contrast, ISO 13485 specializes in the medical device realm, incorporating strict regulatory adherence and a heightened focus on risk management to guarantee the safety and effectiveness of medical products.

Understanding these differences is essential for organizations to select the right standard that aligns with their industry, objectives, and compliance requirements.

Key Similarities

While ISO 9001 and ISO 13485 cater to different industries and have distinct areas of emphasis, they also exhibit significant commonalities that underscore their shared commitment to quality management.

These key similarities include:

1. Process Approach:

  • ISO 9001: ISO 9001 advocates a process-based approach, emphasizing the need to define, document, monitor, and continually improve processes. This approach allows organizations to manage their operations systematically and with a focus on efficiency and quality.
  • ISO 13485: Similarly, ISO 13485 also places a strong emphasis on a process-oriented approach, particularly when it comes to the design, production, and distribution of medical devices. It encourages organizations to define and control processes to ensure product safety and effectiveness.

2. Management Commitment:

  • ISO 9001: Both standards require active leadership involvement in quality management. In ISO 9001, top management plays a crucial role in setting quality objectives, allocating resources, and fostering a culture of quality throughout the organization.
  • ISO 13485: ISO 13485 shares this requirement for management commitment. In the medical device industry, the role of leadership is pivotal in ensuring that safety and regulatory compliance are at the forefront of organizational priorities.

3. Continuous Improvement:

  • ISO 9001: Continuous improvement is a fundamental concept in ISO 9001. Organizations are urged to monitor performance, gather data, and use this data to drive ongoing enhancements to their processes, products, and overall quality management systems.
  • ISO 13485: ISO 13485 also embraces the principle of continuous improvement. In the medical device industry, it’s essential for organizations to evolve with advancements in technology and the changing landscape of healthcare. Regular assessments and improvements are vital to maintaining the safety and efficacy of medical devices.

4. Customer Focus:

  • ISO 9001: Customer satisfaction is a central theme in ISO 9001. Organizations are expected to identify customer needs and expectations and then work diligently to meet or exceed them. A satisfied customer base is a key indicator of a well-implemented quality management system.
  • ISO 13485: Similarly, ISO 13485 underscores the importance of understanding and fulfilling customer requirements in the medical device context. Ensuring that medical devices meet the specific needs and expectations of healthcare professionals and patients is paramount to the standard’s objectives.

These shared elements emphasize that both ISO 9001 and ISO 13485 are built on a foundation of systematic quality management principles.

Regardless of their industry-specific nuances, these standards prioritize processes, leadership involvement, ongoing improvement, and, most importantly, the satisfaction of their end users. This alignment in core principles underscores the universal importance of these quality management standards in enhancing operational efficiency, product safety, and customer-centricity.

Benefits of ISO 9001 and ISO 13485

Benefits of ISO 9001

  • Enhanced Customer Satisfaction: ISO 9001 provides organizations with a robust framework for consistently delivering high-quality products and services. This, in turn, leads to increased customer satisfaction as customers receive products that meet their expectations and requirements.
  • Improved Operational Efficiency: ISO 9001 encourages the identification and optimization of processes, resulting in reduced waste, enhanced productivity, and cost savings. Streamlining operations and reducing errors leads to a more efficient and effective organization.
  • Increased Competitiveness: Organizations certified to ISO 9001 often enjoy a competitive advantage in the market. Customers and partners view ISO 9001 certification as a mark of commitment to quality, which can open doors to new opportunities and partnerships.
  • Greater Consistency and Traceability: ISO 9001 enforces a process-based approach, which enhances consistency in operations and enables traceability of processes, making it easier to identify and rectify issues.
  • Improved Risk Management: The data-driven decision-making encouraged by ISO 9001 helps organizations make informed choices and mitigate risks. This proactive risk management approach enhances the organization’s ability to weather unexpected challenges.
  • Enhanced Communication and Alignment: ISO 9001 fosters a culture of quality that encourages open communication and collaboration within organizations. This improved communication enhances teamwork and alignment with the organization’s quality objectives.

Benefits of ISO 13485

  • Compliance with Regulatory Requirements: ISO 13485 is a cornerstone for compliance in the highly regulated medical device industry. Organizations that adhere to this standard can navigate the complex web of regulations, including the FDA’s Quality System Regulation (QSR) and the European Union’s Medical Device Regulation (MDR), ensuring that their products meet the highest standards of safety and quality.
  • Enhanced Product Safety and Patient Outcomes: ISO 13485 places patient safety at the forefront by requiring rigorous risk management and quality control measures. This focus on safety directly contributes to improved patient outcomes, as it ensures that medical devices are reliable, effective, and safe to use.
  • Improved Risk Management in a Highly Regulated Industry: Given the critical nature of medical devices, ISO 13485’s stringent focus on risk management ensures that organizations in this sector identify, assess, and mitigate risks associated with their products and processes.
  • Greater Traceability and Control: ISO 13485 mandates comprehensive documentation and traceability throughout the product lifecycle, from design and development to production and post-market surveillance. This level of control assures the quality and safety of medical devices.
  • Increased Market Access and International Recognition: ISO 13485 certification is globally recognized and often a requirement for market access. It opens doors to international markets, giving organizations a competitive edge and broader reach.
  • Enhanced Organizational Reputation and Stakeholder Trust: Organizations certified to ISO 13485 demonstrate their unwavering commitment to quality, safety, and regulatory compliance. This builds trust among stakeholders, including healthcare professionals, patients, and regulatory authorities, enhancing the organization’s reputation and credibility.

That way, both ISO 9001 and ISO 13485 offer a wealth of benefits, but they are tailored to the specific needs and regulatory requirements of different industries.

The choice between these standards depends on the organization’s industry, objectives, and compliance needs.


In summary, ISO 9001 and ISO 13485 are both valuable quality management standards that serve different purposes.

ISO 9001 is a generic standard applicable to organizations across various industries, emphasizing customer satisfaction and process improvement. ISO 13485, on the other hand, is specific to the medical device industry and places a strong emphasis on regulatory compliance, risk management, and product safety.

Organizations should carefully assess their industry, objectives, and regulatory requirements to determine which standard is most suitable for their needs. In some cases, organizations may choose to implement both standards, leveraging the benefits of each to enhance overall quality and compliance.

Ultimately, the choice between ISO 9001 and ISO 13485 will depend on an organization’s specific context and goals, with the overarching aim of delivering high-quality products and services while meeting industry-specific requirements.


Ready for more?

or stop by our instagram icon or linkedin icon to say hello =)

Terms of use



ICure SA is incorporated in Geneva, Switzerland, with a registered office at Rue de la Fontaine 7, 1211 Geneva, Switzerland registered in the commercial registry under CHE-270.492.477 (“iCure”).

These Terms of Use constitute a legally binding agreement made between you, whether personally or on behalf of an entity (“you”) and iCure SA (“we,” “us” or “our”), concerning your access to and use of the https://www.icure.com website as well as any other media form, media channel, mobile website or mobile application related, linked, or otherwise connected thereto (collectively, the “Website”).

When you accept, these Terms form a legally binding agreement between you and iCure. If you are entering into these Terms on behalf of an entity, such as your employer or the company you work for, you represent that you have the legal authority to bind that entity.


iCure may, in its sole discretion, elect to suspend or terminate access to, or use of the iCure to anyone who violates these Terms.

All users who are minors in the jurisdiction in which they reside (generally under the age of 18) must have the permission of, and be directly supervised by, their parent or guardian to use the Website. If you are a minor, you must have your parent or guardian read and agree to these Terms of Use prior to you using the Website.

The original language of these Terms and Use is English. In case of other translations provided by iCure, the English version shall prevail.


The Content of the documentation stated on this Website is ours. All Marks, Content that concern iCure cannot be copied, reproduced, aggregated, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted, distributed, sold, licensed, or otherwise exploited for any commercial purpose whatsoever, without our express prior written permission.

Provided that you are eligible to use the Website, you are granted a limited license to access and use the Website and to download or print a copy of any portion of the Content to which you have properly gained access solely for your personal, non-commercial use. We reserve all rights not expressly granted to you in and to the Website, the Content, and the Marks.


By using the Website, you represent and warrant that:

  1. All registration information you submit will be true, accurate, current, and complete; you will maintain the accuracy of such information and promptly update such registration information as necessary.
  2. You have the legal capacity, and you agree to comply with these Terms of Use.
  3. You are not under the age of 13.
  4. Not a minor in the jurisdiction in which you reside, or if a minor, you have received parental permission to use the Website.
  5. You will not access the Website through automated or non-human means, whether through a bot, script, or otherwise.
  6. You will not use the Website for any illegal or unauthorized purpose.
  7. Your use of the Website will not violate any applicable law or regulation.


You may not access or use the Website for any purpose other than that for which we make the Website available. The Website may not be used in connection with any commercial endeavors except those that are specifically endorsed or approved between you and iCure.

As a user of the Website, you agree not to:

  1. Publishing any Website material in any other media.
  2. Selling, sublicensing, and or otherwise commercializing any Website material.
  3. Publicly performing and or showing any Website material.
  4. Using this Website in any way that is or may be damaging to this Website.
  5. Using this Website in any way that impacts user access to this Website.
  6. Using this Website contrary to applicable laws and regulations, or in any way may cause harm to the Website, or to any person or business entity.
  7. Engaging in any data mining, data harvesting, data extracting, or any other similar activity in relation to this Website.
  8. Using this Website to engage in any advertising or marketing.


This Website is provided “as is,” with all faults, and iCure expresses no representations or warranties, of any kind related to this Website or the materials contained on this Website. Also, nothing contained on this Website shall be interpreted as advising you.


In no event shall iCure, nor any of its officers, directors, and employees shall be held liable for anything arising out of or in any way connected with your use of this Website whether such liability is under this agreement. iCure, including its officers, directors, and employees shall not be held liable for any indirect, consequential, or special liability arising out of or in any way related to your use of this Website.


You hereby fully indemnify iCure from and against any and/or all liabilities, costs, demands, causes of action, damages, and expenses arising in any way related to your breach of any of the provisions of these Terms.


If any provision of these Terms is found to be invalid under any applicable law, such provisions shall be deleted without affecting the remaining provisions herein.


iCure is permitted to revise these Terms at any time as it sees fit, and by using this Website you are expected to review these Terms on a regular basis.


iCure is allowed to assign, transfer, and subcontract its rights and/or obligations under these Terms without any notification. However, you are not allowed to assign, transfer, or subcontract any of your rights and/or obligations under these Terms.


These Terms constitute the entire agreement between iCure and you in relation to your use of this Website and supersede all prior agreements and understandings.


These Terms shall be governed by and construed in accordance with the laws of Switzerland, without regard to its conflict of law provisions.

The parties shall attempt to solve the matter amicably in mutual negotiations. In case of a non-amicable settlement that has been found between the parties, the Court of Geneva will be competent.


Please refer to our Privacy Policy and Cookie Notice for the Data that we collected from the contact form and the Matomo cookie.

iCure SA

Contact: contact@icure.com

Last update: November 2nd, 2022.

Privacy Policy


iCure SA (iCure) is incorporated in Geneva, Switzerland, with a registered office at Rue de la Fontaine 7, 1204 Geneva, Switzerland registered in the commercial registry under CHE-270.492.477.

This Privacy Policy describes the information that we collect through our Website (https://www.icure.com), how we use such information, and the steps we take to protect such information. We strongly recommend that you read the Privacy Policy carefully.


The original language of this Privacy Policy is English. In the case of other translations provided by iCure, the English version shall prevail.

This Privacy Policy is incorporated into and is subject to, the iCure Terms of Use.

1. Definitions

Administrative Data: means Personal Data such as the Name, Email, and Phone in order to perform administrative tasks like Invoicing or contacting the Client (if support is needed).

Cookies: means text files placed on a computer to collect standard internet log information and visitor behavior information. When you visit a website, they may collect information from a computer automatically through cookies or similar technology (for further information please refer to our Cookies Notice, visit allaboutcookies.org.).

Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Visitor: means the natural person that submits their Personal Data through our contact form; and/or sends us an email; and/or cookies have been implemented.

All other undefined terms used in this Agreement have the meaning from our Terms and Conditions and the General Data Protection Regulation of the Regulation (EU) 2016/679 of 27 April 2016 (GDPR).

2. Concerning your Personal Data

For this website, iCure collects and determines the use and the purpose of any Personal Data uploaded by the visitor, therefore iCure is defined as the Data Controller according to the GDPR.

2.1 Contact Form

iCure collects Administrative Data that the Visitor completed in our contact form available through our Website.

The Administrative Data that Visitor provides to iCure on this contact form are the First name, the last name, the working e-mail address, the name of your organization, and other Personal Data that the Visitor included in the description of its work.

iCure processes these Administrative Data on the lawful basis of the Visitor’s consent (Article 6, 1. a) of the GDPR).

iCure uses these Administrative Data to perform administrative tasks like contacting the Visitor who completed the contact form, to better understand your needs and interests, and to provide you with better service.

2.2 Email

The Visitor can contact iCure through contact@icure.com to get any information about the Company or new job positions. In this email, the Visitor includes his Name, mail address, and any other Personal Data.

iCure processes these Personal Data on the lawful basis of the Visitor’s consent (Article 6, 1. a) of the GDPR).

iCure uses these Personal Data to answer any request from the Visitor and to consider the Visitor’s job application that they sent us by email.

2.3 Newsletters

iCure offers newsletters to provide you with updates, promotional communications, and offers related to our products and services. If you wish to receive our newsletters, we will collect and process your Personal Data for this specific purpose.

iCure processes these Personal Data on the lawful basis of the Visitor’s consent (Article 6, 1. a) of the GDPR). By subscribing to our Newsletters, you explicitly consent to the use of your Personal Data for direct marketing purposes, including the sending of promotional communications and offers by email.

If you do not want your Personal Data to be further processed for direct marketing purposes, you have the right to withdraw your consent at any time, free of charge and without having to provide any justification, by contacting iCure.

3. Security

iCure has implemented appropriate technical and organizational measures to safeguard your Personal Data against any accidental or illicit destruction, loss, modification, deterioration, usage, access, divulgation, and any other unauthorized processing of your Personal Data. We make every effort to protect personal information. However, you should always be careful when you submit personal or confidential information about yourself on any website, including our website.

4. The data retention period and the conditions for deletion

iCure will not retain your Personal Data, as collected, and processed in accordance with this Privacy Policy, for a period longer than necessary to fulfill the purposes described above.

For the Administrative Data from the contact form completed by the Visitor (as described in section 2.1 of this Privacy Policy), these Data shall be stored for a maximum period of 1 month from the completion of the form.

For the Personal Data from the Email completed by the Visitor (as described in section 2.2 of this Privacy Policy), these Data shall be stored for a maximum period of 2 months from the completion of the form.

For the Personal Data from the Newsletters completed by the Visitor (as described in section 2.3 of this Privacy Policy), these Data shall be stored for a maximum period of 11 months from the date of your consent or until you withdraw it.

5. Your rights

You are entitled to access your Personal Data processed by iCure and request their modification or erasure if it is incorrect or unnecessary. To exercise your rights, you may get in touch with iCure by using the electronic contact form available on our website or send a written and signed request to iCure at the email address privacy@icure.com with a copy of your ID or other identification documents, and any document proving that you are the data subject.

In general, where applicable, you also have the right to withdraw consent to the processing at any time. This withdrawal does not affect the lawfulness of processing based on consent made prior to such withdrawal. In certain cases, you also have the right to data portability. Those rights can be exercised by following the abovementioned procedure.

You have the right to lodge a complaint with a supervisory authority, in the Member State of the European Union of your usual place of residence, your place of work, or the place where the violation occurred, if you consider that the processing of personal data relating to you infringes Data Protection Law.

Please, note that the term of processing of such request can take up to one month. Contact: privacy@icure.com

6. Modification

iCure expressly reserves the right to modify this Privacy Policy and you undertake to regularly review the Privacy Policy. By amending the Privacy Policy, iCure will consider your legitimate interests. You will receive a notification if the Privacy Policy is modified. By continuing to actively use the iCure Services after such notification, you acknowledge that you have read the modifications to the Privacy Policy.

7. Information Sharing

Our employees and/or authorized contractors are the people in charge of the Data Processing.

iCure does not sell, rent, or lease any individual’s personal information or lists of email addresses to anyone for marketing purposes, and we take commercially reasonable steps to maintain the security of this information.

However, iCure reserves the right to supply any such information to any organization into which iCure may merge in the future or to which it may make any transfer in order to enable a third party to continue part or all of its mission.

We also reserve the right to release personal information to protect our systems or business when we reasonably believe you to be in violation of our Terms of Use and Privacy Policy or if we reasonably believe you to have initiated or participated in any illegal activity.

In addition, please be aware that in certain circumstances, iCure may be obligated to release your personal information pursuant to judicial or other government subpoenas, warrants, or other orders.

8. Links to other Websites

This Website may provide links to third-party websites (Instagram and Linkedin) for the convenience of our users. If you access those links, you will leave this website. iCure does not control these third-party websites and cannot represent that their policies and practices will be consistent with this Privacy Policy. For example, other websites may collect or use personal information about you in a manner different from that described in this document. Therefore, you should use other websites with caution and do so at your own risk. We encourage you to review the privacy policy of any website before submitting personal information.

9. Cookies

To get more information on how iCure uses Matomo’s cookies, please check our Cookie Notice.

10. Contact

Please contact us with any questions or comments about this Policy, your Personal Data, and our use and disclosure practices by email at privacy@icure.com If you have any concerns or complaints about this Policy or your Personal Data, you may contact our DPO at privacy@icure.com.

Please, note that the term of processing of such request can take up to one month.

iCure SA

Contact : privacy@icure.com

Last update: July the 26th, 2023.

Information Security Policy


1. Introduction

The iCure universe is built on trust. Guaranteeing the confidentiality of the data that are entrusted to us is our highest priority.

The Information Security Policy of iCure abstracts the security concept that permeates every activity and abides by the ISO 27001:2013 requirements for Information Security, so that we ensure the security of the data that iCure and its clients manage.

Every employee, contractor, consultant, supplier and client of iCure is bound by our Information Security Policy.

2. Our Policy

iCure is committed to protecting the confidentiality, integrity and availability of the service it provides and the data it manages. iCure also considers protecting the privacy of its employees, partners, suppliers, clients and their customers as a fundamental security aspect.

iCure complies with all applicable laws and regulations regarding the protection of information assets and voluntarily commits itself to the provisions of the ISO 27001:2013.

3. Information Security Definitions

Confidentiality refers to iCure’s ability to protect information against disclosure. Attacks, such as network reconnaissance, database breaches or electronic eavesdropping or inadvertent information revealing through poor practices.

Integrity is about ensuring that information is not tampered with during or after submission. Data integrity can be compromised by accident or on purpose, by evading intrusion detection or changing file configurations to allow unwanted access.

Availability requires organizations to have up-and-running systems, networks, and applications to guarantee authorized users’ access to information without any interruption or waiting. The nature of data entrusted to us requires a higher-than-average availability.

Privacy is the right of individuals to control the collection, use, and disclosure of their personal information. Our privacy policies are based on the GDPR(https://gdpr-info.eu/) and can be augmented by added requirements of specific clients or law areas.

4. Risk Assessment

The main threats iCure is facing as a company are:

  1. Data Theft;
  2. Data Deletion;
  3. Denial of Service attacks;
  4. Malware;
  5. Blackmail and Extortion.

As providers of a solution used by developers active in Healthcare, we also have to anticipate the risks of:

  1. Attacks on our clients’ data, which could lead to major social damages and a loss of trust in our solution;
  2. Abuse of our solution by ill-intentioned clients, that could impact the quality of the service provided to the rest of our clients.

The motivation of the attackers in the latter cases can range from financial gain to political or ideological motivations.

A last risk is linked to the nature of the healthcare data we handle. We must ensure, that the data we handle are not used for purposes other than those for which they were collected:

A piece of data collected from a patient for the purpose of a medical consultation should not be available to third parties, not even a government agency.

5. Risk Management

The main principles we apply to manage the risks we face are:

  1. Confidentiality by design: All sensitive data is encrypted end-to-end before being stored in our databases. We do not have any access to the data we store. Our client’s customers are the only ones who can decrypt the data we store.
  2. Anonymization by design: Healthcare information that has to be stored unencrypted is always anonymized using end-to-end encryption scheme. This means that the link between the healthcare and administrative information must be encrypted.

Those two principles allow us to minimize the risks of data theft, blackmail, extortion, and coercion by government agency.

  1. Multiple real-time replicas, with automatic failover: We use a distributed database architecture to ensure that our data is available at all times. We use a master-master architecture, each data is replicated at least 3 times. Snapshots are taken every day to ensure that we can restore the data in case of a malevolent deletion event.
  2. Automatic password rotations: no single password can be used for more than 48 hours. Passwords are automatically rotated every 24 hours. In case of a password leak, we can limit the window of opportunity for an attack.

Those two principles allow us to minimise the risks of data deletion, denial of service attacks, and malware.

  1. Minimization of the attack surface: we deploy our systems in the most minimal way. We only expose the network services that are strictly necessary.
  2. Strict dependency management: we only use open-source software that is regularly updated and audited by the community. We favor dependency management software and providers that minimize the risk of supply chain poisoning.

Those two principles allow iCure to minimise the risks of intrusion by vulnerability exploit or supply chain attacks, two risks that could lead to data theft or data deletion.

6. Further Information

This policy is valid as of November 10th, 2022. For futher information please connect with us at privacy@icure.com


iCure SA

Rue de la Fontaine 7, 1204 Geneva, Switzerland


This website uses cookies

We use only one cookie application for internal research on how to improve our service for all users. It is called Matomo, and it stores the information in Europe, anonymized and for limited time. For more details, please refer to our and .