Security & Compliance

At Doctorita, security is not an afterthought—it is fundamental to everything we build. We understand that clinical data is among the most sensitive information, and we have implemented comprehensive security measures to protect it.

Our security framework is built on industry best practices and compliance standards including GDPR, HIPAA-aligned controls, and modern cloud security principles.

This page provides transparency into our security architecture, controls, and practices to help you assess whether Doctorita meets your organization's security requirements.

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3, the latest transport security protocol. This includes web application traffic, API calls, and file uploads.

Encryption at Rest: Audio files and documents stored in DigitalOcean Spaces are encrypted at rest using AES-256 encryption. Database records in MongoDB are encrypted at the storage layer.

End-to-End Encryption: Audio files are encrypted before leaving your device and remain encrypted during storage. Only authenticated users with proper permissions can access decrypted content.

Key Management: Encryption keys are managed by our cloud providers (DigitalOcean, MongoDB Atlas) using hardware security modules (HSMs) and are rotated regularly.

Secure File Access: We use time-limited presigned URLs (1-hour expiration) for file access, ensuring that even if a URL is intercepted, it cannot be used indefinitely.

Identity Management: User authentication is handled by Auth0, an industry-leading identity platform. Auth0 provides enterprise-grade security including threat detection and account protection.

JWT-Based Authentication: We use JSON Web Tokens (JWT) with RS256 asymmetric encryption for secure, stateless authentication. Tokens are validated on every API request.

Multi-Factor Authentication (MFA): We strongly recommend and support MFA through Auth0. Users can enable MFA using authenticator apps (Google Authenticator, Authy) or SMS.

Role-Based Access Control (RBAC): Access to data is controlled at the user level. Each user can only access patients and visits they have created. Future Enterprise plans will support team-level access controls.

Session Management: User sessions are securely managed with automatic expiration. Sessions are invalidated upon logout or password changes.

Password Security: Passwords are never stored in plain text. Auth0 uses industry-standard password hashing (bcrypt) with salting. Password reset links expire after 24 hours.

Cloud Infrastructure: Our backend runs on secure, isolated infrastructure with network segmentation and firewall protections.

Database Security: MongoDB Atlas provides VPC isolation, IP whitelisting, and automatic security patches. Database access is restricted to application servers only.

Storage Security: DigitalOcean Spaces (S3-compatible) provides object-level encryption, access logging, and secure API access through IAM credentials.

CORS Protection: Cross-Origin Resource Sharing (CORS) is configured to allow requests only from authorized domains (app.doctorita.com, doctorita.com).

DDoS Protection: Our infrastructure includes DDoS mitigation and rate limiting to protect against denial-of-service attacks.

Secure Development: We follow secure coding practices including input validation, parameterized queries, and output encoding to prevent common vulnerabilities (XSS, SQL injection, CSRF).

Dependency Management: We regularly update dependencies and monitor for known vulnerabilities using automated tools. Security patches are applied promptly.

API Security: Our FastAPI backend includes request validation, authentication middleware, and protection against common API attacks.

AI Processing Security: Data sent to OpenAI for transcription is transmitted over encrypted connections. OpenAI does not retain audio files or transcripts after processing, per our data processing agreement.

GDPR Compliant: We are fully compliant with the General Data Protection Regulation (GDPR) as an EU-based company. See our GDPR Compliance page for details.

HIPAA-Aligned Controls: While Doctorita is based in the EU and not subject to US HIPAA regulations, we implement HIPAA-aligned security and privacy controls as a best practice for healthcare data protection.

Data Processing Agreements: We maintain signed Data Processing Agreements (DPAs) with all sub-processors (Auth0, OpenAI, DigitalOcean, MongoDB).

EU Data Residency: Primary data storage is located within the European Union (DigitalOcean Frankfurt, MongoDB EU regions), ensuring compliance with EU data sovereignty requirements.

Third-Party Audits: We engage third-party security firms to conduct periodic security assessments and penetration testing (roadmap for 2026).

Continuous Monitoring: We monitor system logs, API requests, and authentication attempts for suspicious activity.

Intrusion Detection: Automated alerts notify our team of potential security incidents, including failed authentication attempts, unusual access patterns, and system anomalies.

Audit Logging: All API requests, data access, and administrative actions are logged for security auditing and forensic analysis.

Incident Response Plan: We have established procedures for detecting, containing, investigating, and responding to security incidents. Our incident response plan includes notification protocols for affected users and regulatory authorities.

Breach Notification: In the event of a data breach affecting personal data, we will notify affected users and the Romanian data protection authority (ANSPDCP) within 72 hours as required by GDPR.

Vulnerability Disclosure: We encourage responsible disclosure of security vulnerabilities. Report security issues to security@doctorita.com.

Automated Backups: Database backups are performed automatically every 24 hours and retained for 30 days. Enterprise customers can request longer retention periods.

Geographic Redundancy: Data is replicated across multiple availability zones within the EU to ensure availability in case of regional outages.

Disaster Recovery Plan: We have documented procedures for restoring services in the event of a catastrophic failure, with a target Recovery Time Objective (RTO) of 24 hours and Recovery Point Objective (RPO) of 24 hours.

We carefully vet all third-party service providers and ensure they meet our security standards:

Auth0: SOC 2 Type II, ISO 27001, GDPR compliant

OpenAI: SOC 2 Type II compliant, GDPR data processing agreement

DigitalOcean: SOC 2 Type II, ISO 27001, GDPR compliant

MongoDB Atlas: SOC 2 Type II, ISO 27001, GDPR compliant

We regularly review sub-processor security postures and require notification of any security incidents affecting our data.

To maximize the security of your Doctorita account, we recommend:

Enable Multi-Factor Authentication (MFA) for all users.

Use strong, unique passwords (minimum 12 characters with uppercase, lowercase, numbers, and symbols).

Never share your account credentials with others. Each staff member should have their own account.

Review your account activity regularly and report any suspicious logins.

Ensure that you obtain proper patient consent before recording consultations.

Keep your devices and browsers up to date with the latest security patches.

Log out when using shared or public computers.

Report any suspected security issues immediately to security@doctorita.com.

For security-related questions, vulnerability reports, or incident notifications:

Email: security@doctorita.com

For vulnerability disclosure: Please include details of the issue, steps to reproduce, and potential impact. We aim to respond within 48 hours.

For security emergencies: Include "URGENT" in the subject line.

We appreciate responsible disclosure and may recognize security researchers who help us improve our platform.