The General Data Protection Regulation (GDPR) is approaching and will set the bar high in regards to protecting the integrity of the individual in the EU. Doctena has established a large security plan to be compliant to increase the overall security of their business. This post is intended to give you an update on our current status in regards to GDPR.
The General Data Protection Regulation (GDPR) is the new European regulation for protecting personal data, applying to all organizations (including medical practices) operating within the EU (as well as non-EU organizations with customers who are individuals in the EU zone). The definition of personal data under GDPR has been boiled down into “any information relating to an identified or identifiable person”. The purpose of GDPR is to harmonize the data protection laws across all member countries of the EU to strengthen the integrity of the individual. The law will come to effect on May 25th, 2018.
GDPR applies to both data controllers and data processors. The data controller is the party who determines the purposes and the manner in which personal data is processed. While the data processor is a third-party processing personal data on behalf of the controller.
What does this mean?
Doctena is both a data controller and a data processor.
- As a cloud calendar company providing a service to doctors/practitioners, Doctena mainly acts as a data processor. We process data on behalf of the doctor/practitioner who defines what happens with this data (modification, removal, transfer, …).
- For patients who choose to make a Doctena account, Doctena plays the role of controller by storing profile data (preferences, name, address, phone, email, address, ratings, etc.) to facilitate the management of their appointments. We basically copy the data from the Doctena account into the Doctor patient account. Doctena also controls a logical link from the Doctena account to the Doctor appointments, allowing patients to handle the status of their appointment.
What is Doctena doing?
We are working to be compliant with the regulation on time and we established a dedicated project be ready.
Furthermore, we have prepared a specific Data Processing Agreement (DPA) that you as doctors/practitioners (data controller) can sign with Doctena (data processor) to comply with the norms. At the same time Doctena is also ensuring that a similar DPA is in place with its own data processors involved in the entire data processing to ensure that, in any case, the personal data processings is compliant with the GDPR. The DPA describes the roles, foundation and the obligations of the data processing.
How Doctena handles your data
We take security and privacy very seriously at Doctena and commit to compliance with local/national regulation. Our customers’ and their patients’ data privacy is of utmost importance to us, and as a company we have implemented a series of measures to ensure that your data is safe!
Security is not only a word for us, but a concept that needs to be owned and executed upon on a daily basis. Therefore, we address security from multiple standpoints :
Dedicated people and responsibilities
Doctena has a dedicated Chief Information Security Officer (CISO) and independent external Data Protection Officers in the definition of GDPR.
Our CISO is a senior employee holding a Master’s degree in Security, and has a professional background in computer security. His role is to make sure that Security remains a daily focus area, and he does so by implementing processes and technologies as well as coordinating the various teams and business units around Security. He reports directly to our Chief information officer (CIO) and also to our group Chief executive officer (CEO) to make sure that the security focus starts at the highest management level.
Security by Design
Whenever we innovate and work on new products and features, the “Security” item is one of the first steps on the checklist. That way, we can be sure to design our products with security in mind, and make the technological and architectural decisions that lead to secure implementations.
Control and monitoring
We use three well-known, industry standard solutions to continuously check and protect our platforms from possible security issues:
- A Web Application Firewall, which is our first line of defense against common threats like distributed denial of service attacks (DDOS) and malicious web requests. This also includes the automatic blocking of well known bad reputation devices/tools on the internet.
- A permanent penetration testing platform scanning our platforms 24h/7 and notifying our development teams whenever there is a potential new security risk, so that we can immediately apply corrective measures.
- An attack-detection system that notifies us as soon as suspicious activity is detected on the platform, with details on how to stop this activity.
These services come at a price, and Doctena allocates a significant amount of its IT budget to these security tools.
Automated security updates
As part of our continuous deployment system we include security updates to all our systems on a weekly, and for most on an almost daily basis.
Once a year our platforms are audited by a well-known IT security company that also certifies large and complex banking systems for security and resilience. The results of these audits are analyzed and actioned upon by our IT teams so that the audit company can issue us a certificate demonstrating our high levels of security.
The confidential data that we store in our databases is encrypted with the industry standard 256 bit AES algorithm. Also, the laptops of our employees are encrypted and we enforce strict security protocols with them.
Our platforms also implement industry standard encryption for “data in transit”, making sure that no 3rd person can intercept the communications between our platform and the user’s web browser when using the platform.
Partner selection process
When we work with external partners or subcontractors, we require them to apply at least the same security standards as us. We don’t want to have any weak links in our production and operation chains when it comes to security.
Data processing and storage location
Doctena’s server infrastructure is hosted on Amazon Web Services and only uses data centers located in the Frankfurt region (eu-central-1) to ensure the data never leaves the EU. Amazon Web Services is fully compliant with GDPR for which you can get additional information here:
All our application databases are set up with high availability to ensure that at any given moment all data is located in at least 2 geographically isolated data centers. On daily basis an automated snapshot is taken from these databases for disaster recovery in combination with another daily worst case disaster recovery copy that is stored in a highly secured and encrypted storage solution in a Luxembourgish datacenter.
GDPR and ISO27001
Over the course of 2018, and in the wake of the EU GDPR regulations, Doctena will work on achieving the ISO27001 certification.
ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for an ISMS (information security management system). Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and provides an independent, expert verification that information security is managed in line with international best practice and business objectives. ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013
Since its creation, Doctena has not suffered any security breaches!
If you have any questions in regards to GDPR and your use of Doctena, feel free to email
Please note that this post is for informational purposes only, and should not be considered legal advice.