One platform. Four sovereign modules. Zero data movement.
LumkoMDX is a federated data infrastructure for healthcare. Identity stays at the source; queries travel; insight returns. Each module works alone, but the whole is what makes sovereignty possible.
One coherent platform
the source institution
by architecture
No vendor lock-in
Healthcare data has always required a tradeoff. We removed it.
Every healthcare data system in existence asks the same question: how much identity exposure are we willing to accept in exchange for utility?
Aggregation platforms answer it by copying data into central warehouses. De-identification frameworks answer it by stripping fields and hoping. Both treat sovereignty as a policy enforced by humans — and humans, by definition, can be wrong, hacked, or coerced.
LumkoMDX answers it differently. Identity exposure is made structurally impossible by the Three-Boundary Model below. Patient records never leave the source system. Queries are federated. Only aggregated, consent-validated insight ever moves.
Three structural promises. Independently enforceable.
Identity stays at source
Cryptographic pseudonymisation happens before any field leaves the source EMR. The federation layer never sees identifiers.
Query is the only thing that travels
A query plan goes out; an aggregate comes back. Records, photos, free-text — all stay where they were created.
Consent is verified at execution
Every query checks consent at the moment it runs — not at sign-up. Revocations propagate in real time.
That is what "sovereign by design" means. Not a marketing line — a property of the system.
The whole platform in one path.
Every module earns its place by doing one job in this flow. The architecture makes it the only path possible.
Ask
A clinician, researcher or executive asks a question — in plain language or as a structured cohort filter.
Translate
Insight Studio compiles the question into a federated query plan. No identity touches this layer.
Route
The Federation Layer fans the plan out to participating sites. Each site executes against its own local data.
Aggregate
Only sums, counts, and consented summaries return. Audit & Consent signs every step before, during, after.
Four modules. Designed to compose.
Each module solves a specific problem. The architecture is what makes them sovereign together.
Tour the platform
Cohort Studio
Build patient cohorts across federated sites
Cohort Browser
Find the right patients — without ever seeing them.
A visual environment for building cohorts across federated sites. Every filter, every join, every count is computed at source. Results return as pseudonymous IDs.
- Natural-language and structured filtering
- Live counts as you refine criteria
- Saveable cohort definitions, versioned and auditable
- Direct handoff to Insight Studio
Insight Studio
Ask clinical questions in natural language.
A reasoning surface for clinical and operational analysis. Translates plain language into federated queries — and translates federated results back into plain answers, with full citation.
- Large-model reasoning, restricted to consented data
- Every answer cites its sources and audit trail
- Designed for operational, clinical, and research workflows
- Export to compliant deliverables
Federation Layer
Query travels. Data does not.
The protocol that makes the rest possible. A secure substrate that routes queries to participating sites, executes them locally, and returns aggregated results — never raw records.
- FHIR R5 native; OMOP and custom adapters on roadmap
- Designed for sub-second routing across federated sites
- Cryptographically signed at each boundary
- Operator-controlled — institutions never lose autonomy
Audit & Consent
Every action signed. Every consent checked.
A continuous record of who asked what, when, and under what authority. Consent is verified at the moment of every query, not at sign-up. Compliance is the byproduct, not the goal.
- Immutable, signed audit log per site
- Patient-level consent verification at query time
- Architecturally aligned with POPIA, HIPAA, GDPR
- Single-export regulator package
It's the combination that's sovereign.
Other approaches solve parts of this. The LumkoMDX difference is the system: sovereignty, federation, and execution-time consent together — by architecture, not policy.
| Capability | Centralised data lakes |
De-identification pipelines |
Federated research networks |
LumkoMDX |
|---|---|---|---|---|
| Identity stays at source | × | ◐ | ◐ | ● |
| No central data copy | × | × | ● | ● |
| Re-identification structurally impossible | × | × | ◐ | ● |
| Federated query at runtime | × | × | ● | ● |
| Consent verified at execution | × | × | ◐ | ● |
| Population-scale analytics | ● | ● | ● | ● |
● FULL ◐ PARTIAL × NOT BY DEFAULT
See LumkoMDX in action.
We'd rather show you than tell you. Walk through a working environment with real federated data.