DocsMD™ takes the security of patient and practice data seriously. This page describes the technical, administrative, and physical safeguards we use to protect information processed by our autonomous operations engine.
Data Encryption
- In Transit: All data transmitted between systems, dashboards, APIs, and subprocessors is encrypted using Transport Layer Security (TLS) 1.2 or higher
- At Rest: Data stored in our database (Airtable) and orchestration platforms is encrypted at rest using AES-256 encryption
- Credentials: API tokens and credentials are stored securely and never transmitted in cleartext
Access Controls
- Multi-factor authentication required for administrative access
- Role-based access controls limit data visibility to the minimum necessary
- Per-practice data isolation — each Practice's data is logically segregated
- Authorized user accounts with unique credentials
- Audit logging of all access to patient records
Application Security
- Input validation and output encoding to prevent injection attacks
- Secure session management with appropriate timeout policies
- Regular review of code and configuration changes
- Dependency scanning to identify known vulnerabilities
- Web Application Firewall (WAF) and DDoS protection via hosting provider
Infrastructure Security
- Hosted on infrastructure with SOC 2 Type II certified providers
- Network-level isolation and security groups
- Automated backup and disaster recovery procedures
- Monitoring and alerting for anomalous activity
HIPAA Safeguards
As a HIPAA Business Associate, DocsMD implements the safeguards required by the HIPAA Security Rule (45 C.F.R. §§ 164.302–164.318):
| Category | Examples of Safeguards |
|---|---|
| Administrative | Security policies, workforce training, access management, incident response plan, risk assessments |
| Physical | Subprocessor data centers with controlled physical access; no on-premises PHI storage |
| Technical | Access controls, audit logs, integrity controls, transmission security (encryption) |
Subprocessor Security
All subprocessors handling Protected Health Information have executed Business Associate Agreements and maintain their own security certifications:
- Airtable: SOC 2 Type II, HIPAA-eligible (Business plan)
- Make.com: SOC 2 Type II, HIPAA-eligible (Team plan)
- Twilio: SOC 2 Type II, HIPAA-eligible products configured
- Anthropic: SOC 2 Type II
- Netlify: SOC 2 Type II
Incident Response
DocsMD maintains a documented incident response procedure. In the event of a security incident or breach affecting PHI:
- The incident is investigated and contained as quickly as possible
- The affected Practice is notified without unreasonable delay (and within 60 days for breaches under HIPAA)
- Affected individuals are notified by the Practice in accordance with HIPAA Breach Notification Rule
- HHS Office for Civil Rights is notified as required
- A post-incident review is conducted and corrective actions implemented
Telephone Consumer Protection Act (TCPA) Compliance
All outbound SMS messages comply with the TCPA, 47 U.S.C. § 227, through:
- Verification of patient consent before any communication
- Permanent, irrevocable opt-out enforcement
- Required STOP, HELP, and opt-out keyword handling
- A2P 10DLC registration with carriers via Twilio
- Compliant message content with required identification and opt-out instructions
Data Retention & Deletion
- PHI retained as long as the Practice maintains an active account, plus any legally required retention period
- Audit logs retained for a minimum of six (6) years per HIPAA
- Upon termination, PHI is returned to the Practice or destroyed in accordance with the BAA
Vulnerability Disclosure
We welcome reports from security researchers. If you believe you have discovered a security vulnerability, please contact us at hello@docsmd.com with details. We will respond within 5 business days and work with you to verify and remediate the issue. We commit not to pursue legal action against good-faith researchers who follow responsible disclosure practices.
Contact
DocsMD™ Security
Email: hello@docsmd.com