Skip to main content
Enterprise-Grade Security

Your patients' data is safe with us.

We treat security as a first principle, not a checkbox. Every architectural decision — from how we store a prescription to how an engineer accesses a server — is made with patient privacy at the centre.

View HIPAA Compliancesecurity@docsuite.app

Certifications & Standards

HIPAACompliant
SOC 2Type II
TLS 1.3Encrypted Transit
AES-256Encrypted at Rest
GDPRReady
CCPACompliant
Core Principles

Security built into everything

Not bolted on after the fact. Security is a foundational constraint in every product decision we make.

End-to-End Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Your patient records are unreadable to anyone without authorisation — including us.

HIPAA-Compliant Infrastructure

Our entire stack — cloud hosting, databases, file storage, and third-party integrations — operates under signed BAAs and HIPAA-aligned controls.

Zero-Trust Access

Every internal system interaction is authenticated and authorised independently. No implicit trust. Least-privilege access by default across every service.

Isolated Tenancy

Each clinic's data lives in a fully isolated environment. Row-level security at the database layer ensures one tenant can never access another's records.

Automated Backups

Encrypted point-in-time backups run every hour. Data is replicated across multiple availability zones. Recovery time objective: under 1 hour.

Continuous Threat Detection

Anomaly detection, intrusion prevention, and real-time alerting run 24/7. Suspicious access patterns trigger automatic session termination and team alerts.

Defence in Depth

Six layers of protection

No single control stands alone. A breach at one layer cannot compromise the whole.

Network Layer

  • DDoS protection & WAF on all public endpoints
  • TLS 1.3 for all data in transit
  • Private VPC — databases never exposed to public internet
  • Rate limiting & bot protection by default

Infrastructure Layer

  • Hosted on SOC 2 certified cloud providers
  • Multi-region replication for high availability
  • Automated vulnerability patching with zero-downtime deploys
  • Isolated environments per clinic (row-level security)

Application Layer

  • OAuth 2.0 + PKCE for authentication
  • Session expiry with idle timeout enforcement
  • Role-based access control (RBAC) per staff member
  • Audit log on every record access and mutation

Data Layer

  • AES-256 encryption at rest for all databases
  • Encrypted file storage with signed, time-limited URLs
  • PHI fields double-encrypted at column level
  • Automated backups every hour, retained for 30 days

Operational Layer

  • Background-checked engineers with least-privilege access
  • Production access requires multi-party approval
  • Security training required for all team members annually
  • Vendor risk assessments before every integration

Compliance Layer

  • BAA signed with every HIPAA-covered sub-processor
  • Annual third-party penetration tests
  • Continuous compliance monitoring via automated tooling
  • Incident response plan tested quarterly
100%

Data encrypted at rest & in transit

<1 hr

Recovery time objective

24/7

Threat monitoring & alerting

0

PHI breaches since launch

Responsible Disclosure

Found a vulnerability? We take security reports seriously. Contact us privately and we commit to acknowledging your report within 24 hours, keeping you informed, and crediting you if you wish.

security@docsuite.app
Common Questions

Security FAQ

Who can access my patient data?

Only the staff members you explicitly invite to your clinic workspace. DocSuite engineers cannot access your patient records — our architecture prevents it. Access to production databases requires multi-party approval and leaves a permanent audit trail.

Where is my data stored?

Data is stored in SOC 2 certified cloud infrastructure within the US by default. Enterprise customers can request EU or APAC regional hosting. All data is replicated across at least two availability zones.

What happens if there's a data breach?

We will notify affected customers within 72 hours of confirmed breach discovery, in compliance with HIPAA Breach Notification Rule. We maintain a detailed incident response plan that is tested and updated quarterly.

Do you sell or share patient data?

Never. Patient data is never sold, never used for advertising, and never shared with third parties except sub-processors that are strictly necessary to operate the service — all of whom have signed BAAs.

Can I get a copy of your penetration test results?

Yes. Enterprise and Professional customers can request our most recent third-party pen test executive summary under NDA. Contact security@docsuite.app.

Still have security questions?

Our security team responds to all enquiries within one business day.

Contact Security TeamHIPAA Details