Health
Audit

Service · SaMD & medical device software

Software as a Medical Device — passes the audit, ships on time.

IEC 62304-aligned development, ISO 13485 quality system, FDA submission documentation, firmware-to-cloud pipelines, and the companion mobile apps that ship alongside your device — all under one team, one contract.

Book a free 5-day auditSee case studies

FDA submission · SaMD & medical device

0%
  • DHF · Design History File
  • 02IEC 62304 SDLC evidence
  • 03Hazard analysis · ISO 14971
  • 04Risk management file
  • 05Cybersecurity SBOM
  • 06Threat model
  • 07Validation evidence pack
  • 08Cybersecurity premarket plan
62304·13485·14971audit-ready

What we build

Six things, in one engagement.

01

Class II / III SaMD development

IEC 62304-aligned SDLC from project start. Design History File (DHF) produced inline, not patched at submission.

02

510(k) + De Novo documentation

Software documentation per FDA premarket guidance. Validation protocols, hazard analysis, cybersecurity SBOM, predicate analysis.

03

Firmware ↔ cloud pipelines

OTA firmware updates, telemetry, fleet management, edge inference. AWS IoT, Azure IoT Hub, GCP IoT.

04

Companion mobile apps

iOS and Android apps designed to clear App Store / Play Store medical-device review. Apple HealthKit + CareKit, Android Health Connect.

05

ISO 13485 quality system

Aligned QMS for engagements that need it. Document control, change control, design controls, CAPA workflows.

06

Cybersecurity premarket package

SBOM, threat model, vulnerability response plan, secure update mechanism documentation. Per FDA 2023 final guidance.

Who it's for

Built for these teams.

See all personas

MedTech & device companies

End-to-end SaMD development with submission documentation produced alongside the code.

Read more

Recent work

One example, in numbers.

2 wks

MVP delivered on Meta Quest for a Dutch hospital

VR Medical Training

Tablet-VR medical training app for medical students at a Dutch hospital. 360°-video scenarios with branching decisions, in-VR evaluation system, server-loaded content. Built on Unity + Oculus SDK; delivered ahead of schedule and grew into 5 follow-on projects.

Read the case study

Tech we work with

IEC 62304ISO 13485ISO 14971FDA cybersecurity guidanceSwiftKotlinC++PythonAWS IoTAzure IoT Hub

Compliance scope

  • IEC 62304
  • ISO 13485
  • ISO 14971 (risk)
  • FDA premarket cybersecurity (2023)
  • EU MDR (for European submissions)
  • HIPAA

Our process

Predictable delivery — even when the scope isn't.

015 days

Audit & plan

We review your code, infrastructure, and compliance posture. You get a written report, architecture diagram, gap analysis, and a fixed-price roadmap.

022-week sprints

Rescue or build

Weekly demo. Live dashboard with sprint velocity, open issues, and burndown. Read access to our repo from day one.

03Continuous

QA & compliance

Automated and manual testing, security review, HIPAA-readiness check, optional third-party penetration test.

04Ongoing

Deploy & optimize

Production launch with monitoring, on-call rotation if you want it, continuing development at a steady cadence.

FAQ

Questions we get on the first call.

We've never run IEC 62304 before. Can you bring the process?

Yes. Our SDLC is 62304-aligned by default for SaMD engagements. We bring the templates, traceability matrix, and document control. Your QMS lead sees the artifacts produced alongside the code.

Can you support Class III submissions?

Yes, with partner regulatory consultants for the parts that require submission-specialist depth. We've supported Class III SaMD as the software engineering partner.

How does cybersecurity submission documentation work?

Per the 2023 FDA final guidance, you need: SBOM (we generate from CI), threat model (we author with your team), vulnerability response plan (we draft, you adopt), and secure-update mechanism documentation. All produced as part of the engagement.

Other services

All services

01

EHR / EMR

02

Telemedicine

03

RPM

04

Healthcare AI

05

Interoperability

06

Patient engagement

Insights · Read more

Background reading for buyers.

All insights
Laptop dashboard with stethoscope — IEC 62304 in practice
MedTechMar 26, 2020

IEC 62304 in practice: what it actually requires (and what people get wrong)

62304 doesn't tell you to write tests. It tells you to write tests that trace to requirements that trace to user needs. Here's what that looks like in a real codebase.

Serhii Kholin

Serhii Kholin · 14 min

Laptop with security padlock UI — FDA premarket cybersecurity
MedTechAug 21, 2023

FDA's 2023 cybersecurity premarket guidance: what changed for SaMD teams

The new guidance pushed cybersecurity from optional to mandatory in the submission package. Here's what your DHF needs to include now.

Serhii Kholin

Serhii Kholin · 10 min

Magnifying glass over HIPAA document with stethoscope
ComplianceJun 19, 2021

What a HIPAA audit actually looks like — from the inside

Most teams build to a checklist and hope. We've sat across from the auditor — here's what they actually ask, and what surprises engineering teams.

Denis Sheremetov

Denis Sheremetov · 8 min

Start with the audit

5 days. Written report. No commitment.

Tell us what you're building or what's not working. We'll come back with a written audit and a fixed-price plan.

Request the auditSee case studies