Comparison

Fire Arrow vs Medplum

Medplum is an open-core FHIR backend with a commercial cloud and a strong React SDK. The two products overlap in scope (FHIR backend with authorization, GraphQL, and subscriptions) and differ in distribution, deployment shape, and the depth of the access-control model.

Review Fire Arrow editions Book an architecture comparison

Who this is for

Architects, CTOs, staff engineers, and product leaders evaluating FHIR infrastructure options.

Clinical applicability

A US-focused product looking for a managed cloud with patient and admin React components out of the box may favor Medplum's cloud. A team that needs a composable access model spanning patient self-service, service accounts, AI agents, and multi-tenant SaaS, or a self-hosted deployment with a vendor whose release artifacts and ISO 27001-aligned QMS feed into a regulated submission, may prefer Fire Arrow.

Capability comparison

Capability Fire Arrow Medplum
Distribution Self-hosted (Server) or Evoleen-hosted; container images Open-source self-host plus Medplum Cloud SaaS
Authorization model Rule-based with compartment validators, identity filters, property filters, search-parameter blocklists Project + AccessPolicy with FHIRPath conditions
GraphQL Built-in with separate graphql-read/graphql-search operations and search narrowing Built-in GraphQL on top of FHIR
CarePlan-to-Task scheduling Server-side materialization Bots / scheduled jobs
Frontend SDK API-only; bring your own UI React component library and admin app
Quality system for medical-device contexts Developed under Evoleen's ISO 27001-aligned QMS (certification in progress); release artifacts and product documentation feed customer SOUP qualification SOC 2 / HIPAA on Medplum Cloud; QMS scope is the customer's
Hosting regions Customer-chosen; EU-only deployments by default in EU contexts US regions on Medplum Cloud

When to choose Medplum

You want a managed FHIR cloud with first-party React components for admin and patient UIs, and US hosting works for your deployment.

When to choose Fire Arrow

You need a self-hosted-only deployment, EU residency by default, release artifacts and product documentation that feed your medical-device SOUP qualification under a vendor with an ISO 27001-aligned QMS, or a composable access model that combines organisation-scoped, compartment, care-coordination, and identity-filtered validators in one default-deny rule chain.

Related docs

Related pages

FAQ

Is Medplum a fair competitor on access control?

Both products implement granular FHIR access control. Medplum uses Project and AccessPolicy with FHIRPath conditions; Fire Arrow uses rules with a composable validator chain (compartments, organisation-scoped legitimate interest, organization compartment, care-coordination, allow/deny) plus identity and property filters. The two models cover most of the same ground; differences show up where multiple validators need to apply additively to the same role and resource, in search-parameter blocklists, and in the deny-by-default rule shape.

Can I migrate from Medplum to Fire Arrow?

FHIR R4 is the storage format on both sides, so the data is portable. Authorization configuration is product-specific and would be re-expressed in the destination's model.

Does Fire Arrow have a hosted SaaS like Medplum Cloud?

Evoleen Technology hosts Fire Arrow for customers as a managed deployment, including in EU regions. The model is per-customer hosting rather than multi-tenant SaaS.