Security ยท Compliance ยท Architecture

Built for clinical trust.
Designed for enterprise scale.

IOLDx Clinical is architected with a privacy-first, local-data model for the current early-access phase, with a clear roadmap to HIPAA-compliant cloud infrastructure for enterprise deployment.

โœ“
Data Privacy
No patient data transmitted to external servers. All session data stored locally in browser.
โš 
HIPAA Compliance
Current build: local-only storage (no PHI transmitted). Enterprise HIPAA-BAA available on request.
โ„น
FDA Classification
Clinical decision support tool. Not a medical device. Not subject to 510(k) clearance under current intended use.
1

Data Architecture & Privacy

IOLDx Clinical is currently deployed as a client-side web application hosted on AWS CloudFront/S3. This is an intentional architectural decision for the early-access phase:

  • No patient data leaves the browser. Biometric inputs (axial length, keratometry, ACD) are processed entirely in JavaScript on the user's device.
  • No backend database. Session outcomes are stored in localStorage โ€” scoped to the user's browser, never transmitted.
  • No user accounts required. No login means no identity data collected.
  • Claude Vision API is used only for biometer image parsing (Scan Report import). Images are sent to Anthropic's API via a Lambda proxy. No images are stored or logged.
Privacy by design: A surgeon entering a patient's AL=24.2mm and K=44.5D generates no identifiable health information. IOLDx Clinical does not collect names, DOB, MRN, or any PHI as defined under HIPAA.
Data Storage
Browser localStorage only
โœ“ No server-side storage
Data Transmission
Biometer images โ†’ Lambda โ†’ Claude API (optional)
โš  Images not retained
CDN / Hosting
AWS CloudFront + S3
โœ“ HTTPS enforced, TLS 1.2+
Analytics
Google Analytics 4 (page views only)
โœ“ No PII collected
2

FDA Regulatory Classification

IOLDx Clinical is a clinical decision support (CDS) tool intended for use by licensed ophthalmic surgeons. Under the 21st Century Cures Act and FDA's 2019 CDS guidance, software that:

  • Is not intended to replace clinical judgment
  • Displays the basis for its recommendations so clinicians can independently review
  • Is used by qualified healthcare professionals

...is classified as non-device CDS and does not require 510(k) clearance.

Current intended use: IOLDx Clinical is intended to assist qualified ophthalmic surgeons in reviewing published defocus curve data and calculating estimated IOL power targets. All outputs must be independently verified by the treating surgeon before clinical use. The software does not perform surgery, does not control medical devices, and does not provide a diagnosis.

All IOL defocus curve data is sourced from FDA Summary of Safety and Effectiveness Data (SSED) or peer-reviewed literature. Sources are labeled on each IOL card.

RegulationApplicabilityStatus
FDA 21 CFR Part 11 (Electronic Records) Applies to records submitted to FDA. IOLDx does not submit records to FDA. Not Applicable
FDA 510(k) Medical Device Non-device CDS under 21st Century Cures Act โ€” does not replace clinical judgment Exempt
FDA CDS Guidance (2019) Displays basis for recommendations; used by qualified professionals Compliant
HIPAA Privacy Rule No PHI collected or transmitted in current deployment Not Applicable (v1)
HIPAA Security Rule Required for enterprise cloud deployment with stored PHI Roadmap
SOC 2 Type II Required for enterprise SaaS with institutional contracts Roadmap
GDPR (EU) No personal data collected from EU users in current deployment Compliant (v1)
3

Scalability & Cloud Architecture Roadmap

The current deployment is intentionally lightweight for early validation. The enterprise architecture roadmap is designed to support acquisition-level scale:

Current (v1 โ€” Early Access)
โœ“ AWS CloudFront + S3 CDN
โœ“ AWS Lambda API proxy
โœ“ Flutter Web (cross-platform)
โœ“ Client-side only (no DB)
โ€” No user accounts
โ€” Local storage only
Enterprise Roadmap (v2)
โ†’ Supabase / PostgreSQL cloud DB
โ†’ Auth0 / Supabase Auth (SSO-ready)
โ†’ HIPAA BAA with cloud provider
โ†’ Role-based access (surgeon/admin)
โ†’ Practice-level outcomes dashboard
โ†’ HL7 FHIR export capability
For Alcon enterprise integration: IOLDx Clinical's Flutter Web architecture supports direct embedding into existing web portals. The API layer is designed for ARGOS/Lenstar CSV import and could be extended to support SMARTCataract or NGENUITY data export with standard REST endpoints. Timeline: 60โ€“90 days for enterprise API integration post-agreement.
4

Clinical Data Sources & Methodology

All defocus curve data used in IOLDx Clinical is sourced from publicly available regulatory submissions and peer-reviewed literature. No proprietary or confidential manufacturer data is used.

IOLData SourceType
Clareon PanOptix (TFNT00)FDA SSED PMA P930014/S131FDA SSED
Clareon Vivity (DFT015/DFW015)FDA SSED PMA P930014/S152FDA SSED
AcrySof IQ MonofocalFDA SSED PMA P930014FDA SSED
Clareon MonofocalFDA SSED PMA P930014/S148FDA SSED
TECNIS Symfony (ZXR00)FDA SSED PMA P060040/S050FDA SSED
TECNIS Synergy (DFR00V)FDA SSED PMA P060040/S079FDA SSED
IC-8 AptheraFDA SSED PMA P200037FDA SSED
Additional IOLs (6)Peer-reviewed literature + manufacturer dataGenerated
Generated data methodology: For IOLs without publicly available FDA SSED defocus curve data, curves are generated using published clinical study mean logMAR values at standard defocus steps (0, โˆ’0.5, โˆ’1.0, โˆ’1.5, โˆ’2.0, โˆ’2.5, โˆ’3.0 D) from peer-reviewed sources. These are clearly labeled "Generated" in the interface. Surgeons should verify against current manufacturer specifications.
5

Enterprise Inquiries & Compliance Documentation

For enterprise deployment, institutional licensing, HIPAA Business Associate Agreement (BAA), or Alcon integration discussions:

Developer Contact
Balamurali Vasudevan, BSOptom, PhD, MBA
Optometrist & Clinical Technologist
balamuralivasudevan@gmail.com
Available Documentation
โœ“ Intended Use Statement
โœ“ Data Flow Diagram
โœ“ Source code (on request)
โ†’ BAA template (on request)
โ†’ SOC 2 readiness assessment