Regulatory posture

Software you can deploy today.

Synthology’s software products are non-device software under FD&C Act §520(o)(1)(D), the statutory carve-out added by §3060 of the 21st Century Cures Act of 2016. Software that solely transfers, stores, converts formats, or displays medical device data is not a device, and is not subject to FDA regulatory requirements applicable to devices. That means our DICOM/HL7 routing, VNA, and workflow products can be purchased and deployed without waiting on FDA premarket clearance.

We maintain ISO 13485–aligned quality discipline anyway, because shipping reliable medical-data infrastructure demands it — not because a regulator requires it.

Framework

Where we sit, statute by statute.

The regulatory framework that governs our products is the statute itself, not a derivative classification. We treat public disclosure of our posture as a customer service: procurement, IT security, and clinical compliance teams should be able to verify our position against the controlling law without making a phone call.

FD&C Act §520(o)(1)(D)

Active
Non-Device Software

Federal Food, Drug & Cosmetic Act §520(o)(1)(D), added by §3060 of the 21st Century Cures Act of 2016. Software functions solely intended to transfer, store, convert formats, or display medical device data are not devices and are not subject to FDA regulatory requirements applicable to devices. Our DICOM/HL7 routing, VNA, and workflow products fall squarely within this statutory carve-out.

FDA Guidance (2019)

Active
Non-device under §520(o)(1)(D)

"Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices" — FDA's 2019 final guidance implementing §520(o)(1)(D). Our products fall within the non-device carve-out defined therein.

QMS Framework

Active
ISO 13485-aligned

Quality Management System operated to ISO 13485:2016 + IEC 62304:2006+A1:2015 + IEC 62366-1:2015. Design controls, document control, CAPA process, complaint handling, software life-cycle discipline. Maintained internally because good software engineering doesn't depend on FDA registration.

Whole Portfolio

Active
Non-Device Software

Every Synthology and XyDromatics product as shipped and purchasable is non-device software under FD&C Act §520(o)(1)(D). The VNA Clinical and VNA Clinical Research products ship today within the same statutory carve-out as the rest of the portfolio. Classification memos maintained per product in SynthQMS.

Coordinated Vulnerability Disclosure

Active
RFC 9116

Public security.txt + PGP key for encrypted disclosure. Acknowledgment within 5 business days. Threat models, SBOM, penetration test reports per product. Policy: DOC-2026-227.

DUNS

Active
090142131

Active. General business identifier, auto-maintained by Dun & Bradstreet.

Available today

Eleven products. No FDA gate.

Each product below performs functions that fall within the §520(o)(1)(D) software carve-out: transfer, storage, format conversion, and display of medical device data, with no control or alteration of any connected medical device and no use in active patient monitoring requiring timely intervention. Per the controlling statute, these are not devices. Purchase, deployment, and operation can begin on your timeline, not FDA’s.

Product Function Statutory status
XyDromatics Router
DICOM/HL7 routing + transformation rules Non-Device · §520(o)(1)(D)
XyDromatics SR Engine
DICOM Structured Report → HL7 ORU^R01 conversion Non-Device · §520(o)(1)(D)
XyDromatics Migration Engine
Cross-system DICOM/HL7 migration Non-Device · §520(o)(1)(D)
XyDromatics Pathology Engine
Whole-slide image ingest + format conversion Non-Device · §520(o)(1)(D)
XyDromatics Encounter Engine
POCUS encounter workflow with human-verify gate Non-Device · §520(o)(1)(D)
XyDromatics VNA Repository
Vendor-neutral archive — storage + retrieval Non-Device · §520(o)(1)(D)
XyDromatics VNA Migration
VNA-to-VNA migration Non-Device · §520(o)(1)(D)
XyDromatics VNA Research
Research-use-only VNA storage Non-Device · §520(o)(1)(D)
SynthIQ Patent Pending
Intelligent DICOM proxy load balancer Non-Device · §520(o)(1)(D)
SynthCloudConnect
AI-vendor cloud transit with per-tenant temp storage Non-Device · §520(o)(1)(D)
SynthInSight
Cross-router fleet analytics — aggregate-only, no PHI Non-Device · §520(o)(1)(D)

The clinical VNA products are non-device software too

XyDromatics VNA Clinical and VNA Clinical Research ship today as non-device software under §520(o)(1)(D), within the same statutory carve-out as the rest of the portfolio. VNA Clinical Research combines the research VNA with the clinical VNA. Like every product above, they can be purchased and deployed without waiting on FDA premarket clearance.

Standards we operate against

What we do anyway.

Our products are not FDA-regulated devices, but the Synthology Quality Management System is built to satisfy the standards a regulated firm would be held to. References here are by statute and standard; the internal procedures that implement each one are controlled documents in SynthQMS, available to auditors under NDA.

FD&C Act §520(o)(1)(D) Federal Food, Drug & Cosmetic Act, software-function carve-out

The statutory basis for our products being non-device software. Added to the FD&C Act by §3060 of the 21st Century Cures Act of 2016. Software that solely transfers, stores, converts formats, or displays medical device data is not a device and is not subject to FDA regulatory requirements applicable to devices.

FDA Guidance (Sep 2019) Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices

FDA's implementing guidance for §520(o)(1)(D). Defines the non-device category our products fall within.

ISO 13485:2016 Medical devices — Quality management systems

The operating standard for our QMS. SynthQMS internal control plane is structured against this standard. We maintain ISO 13485 alignment internally because it produces better software, independent of FDA registration status.

IEC 62304:2006+A1:2015 Medical device software — Software life cycle processes

Software development life-cycle discipline. Applied to every product whether or not the product is a regulated device.

IEC 62366-1:2015 Application of usability engineering to medical devices

Usability engineering file maintained for each product as part of the development record.

ISO 14971:2019 Application of risk management to medical devices

Risk Management File framework (5×5 likelihood × impact matrix). RMF master + per-product RMFs maintained in SynthQMS.

FDA Guidance (Aug 2022) Clinical Decision Support Software

Reviewed when scoping product functions to confirm they remain within the §520(o)(1)(D) non-device software carve-out and do not cross into device functionality.

RFC 9116 A File Format to Aid in Security Vulnerability Disclosure

Public security.txt at /.well-known/security.txt. CVD program with PGP-encrypted submission path and 5-business-day acknowledgment SLA.

Security program

Found a vulnerability? We want to hear from you.

We run a Coordinated Vulnerability Disclosure program with published reporting paths, acknowledgment SLAs, and a public security.txt at the standard RFC 9116 location. Threat-modeling, SBOM generation, and per-product risk-management files are all controlled documents in our QMS — not afterthoughts, and not contingent on regulatory status.

Coordinated Vulnerability Disclosure

CVD policy at /security.txt (RFC 9116). Public PGP key for encrypted disclosure submissions. Acknowledgment within 5 business days; remediation timeline depends on severity. Policy: DOC-2026-227.

Threat Models

STRIDE-based threat model maintained per product. Updated each release cycle and on architectural changes. Available under NDA.

SBOM

Software Bill of Materials generated per build for every product (SPDX corpus + NOTICES.md). Third-party attribution shipped with every release.

Privacy + HIPAA

Products are PHI-free by default. HIPAA mode is a license feature on products that support it, gated by license-feature flag at runtime. Privacy Impact Assessment maintained per product.

security.txt (RFC 9116) → security@synthologysolutions.com →

Documentation

For auditors, partners, customers.

The full controlled-document set is maintained in SynthQMS under our 21 CFR Part 11–aligned audit-trail discipline. We share the documents below directly under NDA on request — the same way we’d share them if we were a regulated firm.

  • · Intended Use Statements (per product)
  • · §520(o)(1)(D) Classification Memos (per product)
  • · Design History File / Device Master Record
  • · Risk Management Files (master + per product)
  • · Threat Models (master + per product)
  • · Coordinated Vulnerability Disclosure Policy + Procedure
  • · Software Bill of Materials (per product, per build)
  • · Privacy Impact Assessments (per product)
  • · Penetration test reports (per product, annual)
  • · Conformance Statements (DICOM, IHE, HL7)
  • · EULA + Hardware/Software requirements
  • · VNA Clinical & Clinical Research §520(o)(1)(D) Classification Memos
Request regulatory documentation regulatory@synthologysolutions.com

Complaint reporting

A public channel for problem reports.

Even though our products are not FDA-regulated devices, we maintain a public-facing complaint channel as a customer service. Reports become regulated Complaint records in SynthQMS with immutable timestamps; investigation, CAPA where warranted, and closure are tracked through our quality system — the same discipline a regulated firm would apply.

The channel is open to anyone — clinicians, biomedical engineers, IT staff, patients, family members. You don’t need to be a customer.

Report a problem complaints@synthologysolutions.com