Security in Exorlive

ExorLive is used in health and care services, municipalities, clinics and organisations that require a high level of information security. We build the solution according to modern security principles and verifiable standards, ensuring that users, patients, and organisations can trust that data is handled securely.

Here you will find an overview of how ExorLive protects information – technically, organisationally, and legally.

Summary

Data is stored securely within the EU/EEA
All communication is encrypted (TLS 1.2+)
Data at rest is encrypted (AES-256)
Annual external security tests
ISO 27001 certified and ISAE 3000 audited
Role-based access control, logging and traceability
Support for BankID, SSO and IdP integrations (add-on services)

Go to:

For Professionals
For Administrators
For IT Departments
For Legal Officers and Procurement

Regulations and Standards

ExorLive complies with all relevant laws and requirements related to the processing of personal data:

GDPR and national data protection laws
The Information Security Norm for the health and care sector
Requirements for data processors and security controls
Principles for risk management, access control, and continuous improvement

This ensures that ExorLive can be used safely in both the public and private sector.

ISO Certifications and Security Audits

ExorLive is certified according to ISO/IEC 27001, the leading international standard for information security. The certification includes:

A documented and audited Information Security Management System (ISMS)
Established procedures for risk assessment, operations, access control and incident management
Controls that are continuously monitored and improved
Training and awareness for employees

ExorLive also performs:

ISAE 3000 audits, verifying that security processes and measures are followed in practice
Multiple annual third-party penetration tests of externally exposed services

For customers, this means that ExorLive follows internationally recognised best practices for information security – and that the security level is documented, measured, and continuously improved.

For Professionals: How ExorLive Protects Your Patients

Who can you see in ExorLive?

You can only see the clients you have added yourself or have been given access to.

To open other clients, you must:

actively search for them
confirm that you have a valid basis for access
register a comment

All lookups are logged and can be reviewed by an administrator.

Signing and Locking Training Programs

Training programs can be signed, preventing further changes.
Signing ensures integrity and documents professional responsibility.

Read more about how to sign training programs HERE.

Deletion and Nullification

Locked/signed programs cannot be deleted – only nullified.
Templates and non-personal programs can be deleted by their creator or an administrator.

Custom Exercises and GDPR

When you upload your own images or videos:

you retain the rights
you are responsible for obtaining consent from anyone appearing in the material
you choose how the exercise can be shared further

Read more about the rules for content HERE.

For Administrators: Secure Organisational Management

Roles and Permissions

ExorLive has a flexible role-based access system ensuring that:

each user only has access to what they need
permissions follow the organisational structure
changes are recorded and traceable

Administrators can create, deactivate or modify users in a secure and controlled manner.

Here you can read more about the different roles one can have in ExorLive.

Tree Structure

Organisations can be built in a hierarchical structure with units, departments and subgroups.
Access follows this structure so that users only gain insight where relevant.

For IT Departments: Technical Security and Infrastructure

Identity and Authentication

Standard authentication:

Salted and hashed password storage
TLS-encrypted login

Available security modules (add-ons):

BankID (NO/SE/DK/FI) – ExorLive GO
Single Sign-On (SSO) via Azure AD/Entra ID
SAML2
OpenID Connect / OAuth2
IdP integration for organisations

These modules require a separate agreement.

Access Control

Personal user accounts (no shared accounts)
Permissions granted on a “least privilege” basis
All changes and lookups are traceable
Full logging of administrator actions

Encryption and Communication

All traffic is encrypted (HTTPS/TLS 1.2+)
All data at rest is encrypted (AES-256 or equivalent)
Video meetings are end-to-end encrypted (requires video module)
No recordings are stored by default

Hosting and Storage

ExorLive is hosted in Microsoft Azure Dublin (EU/EEA)
Daily encrypted backups (stored for 1 year)
Redundant storage for high availability
Continuous monitoring of performance and security

System Architecture

Modern three-tier architecture that limits exposure
Rapid vulnerability patching via DevOps processes
Continuous monitoring of capacity, performance and load

API Security

OAuth2-based access control
API keys with scopes
Rate-limiting and abuse protection

For Legal Officers and Procurement

Data Processing Agreement

ExorLive acts as a data processor for the customer’s end users.
The data processing agreement is integrated into the licence terms and complies with GDPR requirements.

The agreement can be found here.

Legal Basis for Processing

In health and public sector contexts, the typical legal bases are:

public interest / health purposes
consent
contractual relationship as a data processor

Sub-processors

We only use established and documented vendors:

Microsoft Azure (hosting, storage)
Microsoft Customer Lockbox is enabled
Atlassian/AWS (support tools)

No data is stored outside the EU/EEA.

Correction, Deletion and Service Termination

When the service ends, data can:

be securely deleted
be exported by agreement

Access, integrations and users are deactivated as part of the termination process.

Do you have any more questions? See if you can find any answers in our Security FAQ, read more in our help centre, or contact us!