Security measures for the processing of personal data
Doctena takes the following technical and organizational security measures to protect personal data:
Dedicated organizational and personnel management responsible for the development, implementation and maintenance of Doctena’s information security program.
Audit procedures and evaluation of risk for the purpose of periodically reviewing and assessing risks to the Doctena organization, monitoring and maintaining compliance with Doctena policies and procedures, and reporting the status of its information security and compliance to internal senior management.
Maintain information security policies and ensure that policies and measures are regularly reviewed and, if necessary, improved.
Communication with Doctena applications uses cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls and DDoS protection are used to filter attacks.
Data security controls that include logical separation of data, restricted access and monitoring (e.g., role-based), and, where appropriate, the use of commercially available, industry-standard encryption technologies.
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and functions (e.g., granting access on a need-to-know and least-privilege basis, using unique user IDs and passwords for all users, conducting periodic reviews, and promptly revoking or changing access upon termination or change in duties).
Password controls designed to manage and control the strength and use of passwords, including prohibiting users from sharing passwords.
System auditing or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
Physical and environmental security of the data center, server rooms and other areas containing confidential client information, designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and record the movement of persons into and out of the data center facilities, and (iii) protect against environmental hazards such as heat, fire and water damage.
Operational procedures and controls to ensure the configuration, monitoring and maintenance of technology and information systems according to prescribed internal standards and adopted industry standards.
Change management procedures and tracking mechanisms are designed to test, approve and monitor all changes to Doctena’s technology and information assets.
Incident and problem management procedures are designed to enable Doctena to investigate, respond to, mitigate, and report events related to Doctena’s technology and information assets.
Network security controls that include the use of enterprise firewalls and layered DMZ architectures, as well as intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusions and limit the reach of any successful attack.
Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
Resiliency/business continuity and disaster recovery procedures, if applicable, designed to maintain service and/or recovery from foreseeable emergencies or disasters.
Our commitment to safety
At Doctena, we take security and privacy very seriously. The confidentiality of our clients’ and their patients’ data is of the utmost importance to us, and as a company we have put in place a series of measures to ensure the security of this data.
Safety is not just a word to us, but a concept that must be taken care of and implemented on a daily basis. That’s why we approach security from multiple angles.
Dedicated people and responsibilities
Doctena has a Chief Information Security Officer (CISO) who is a senior employee with a master’s degree in security and professional experience in IT security. Its role is to ensure that safety remains a daily concern. It does this by implementing processes and technologies as well as coordinating the various teams and business units around security. He reports directly to our Chief Information Officer (CIO) and also to our Group Chief Executive Officer (CEO), to ensure that the focus is on security from the highest level of management.
Safety by design
Whenever we innovate and work on new products and features, “security” is one of the first steps on the checklist. This way, we can be sure to design our products with safety in mind and make the technological and architectural decisions that lead to safe implementations.
Multi-layer security infrastructure
We use several well-known industry standard solutions to continuously check and protect our platforms against potential security issues:
– A web application firewall, which is our first line of defense against common threats such as distributed denial of service (DDOS) attacks and malicious web requests. This also includes automatic blocking of well-known bad reputation sources (e.g. the dark web) on the Internet.
– An automated penetration testing platform that regularly scans our platforms and notifies our development teams whenever a new potential security risk emerges (e.g., a newly discovered vulnerability) so that we can immediately apply corrective measures.
– A static code analysis platform that provides an even higher level of security by actually examining our constantly evolving code and evaluating every possible entry point into our application. It detects and notifies our development teams where they might have missed something.
– Our software composition analysis tools allow us to analyze the external dependencies (libraries) used by our code for vulnerabilities.
– An intelligent attack prevention system that learns normal behavior using AI and alerts us when unusual, suspicious activity is detected on the platform. This system automatically warns of such security risks and informs our security team of these activities for follow-up actions.
These services come at a price, and Doctena allocates a significant portion of its IT budget to these security tools because we understand how important they are to you, but also to the survival of our business.
No real patient data is used in our test environments or on developer devices local.
Our business intelligence department only has access to completely anonymous data.
We never send emails containing personal patient data. When personal data is to be sent by e-mail, it is sent anonymously.
Automated security updates
As part of our continuous deployment system, we include the latest security updates to all of our systems on a weekly, and for most even on an almost daily basis. This means that while our security teams don’t have to be aware of new security patches, they will automatically be included whenever we deploy a new version of our software.
All our databases are encrypted at rest with the industry standard 256-bit AES algorithm.
Passwords are never stored in clear text, but irreversibly hashed
Where technically possible, highly sensitive data such as physician and patient notes are also encrypted at the field level of the database.
All of our employees’ laptops and computers are encrypted, and we enforce strict security protocols with them.
Industry standard encryption for “data in transit” is applied in all communications, which ensures that no third party can intercept communications between our platform and the user’s web browser while using the platform.
We have set up four completely isolated environments that each have their own dedicated servers with different IDs per environment to ensure that a potential breach in one environment does not impact the other.
Test – Used by development to test new code
Staging – Isolated environment that most closely resembles production as a final step before the code is pushed to production.
Production – A highly controlled environment where only a limited number of people have access to
Demo – Same environment as production, with only data from potential customers who want to test the system.
Our code base is fully tracked with a version control system and different branches per environment. This is part of our change management process that allows us to clearly see who added what code at what time. Each new addition to the code is reviewed by a senior team leader, and triggers automated tests on our most common business logic. Only project managers can deploy code in the production and demonstration environments.
Resumption of activities
An important element of our continuous deployment system is that all of our infrastructure is defined by code, rather than by manual configuration. This allows us to quickly set up identical environments and server configurations that leave no room for manual errors or security misconfigurations. It also allows us to automatically scale our production servers when greater performance is needed, without the need for manual action with potential errors.
All of our application databases are implemented with high availability to ensure that at all times, all data is located in at least 2 geographically isolated data centers. Each day, an automated snapshot is taken of these databases for disaster recovery in combination with another daily worst-case disaster recovery copy that is stored in a highly secure and encrypted storage solution in another data center. The web servers that provide our services are also configured with high availability.
Monitoring and alerting
All important servers and resources are monitored with advanced tools that alert us, usually even before something goes really wrong. This allows our infrastructure team to quickly inform the necessary teams to act.
Once a year, our platforms are audited by a recognized IT security company, which also certifies large and complex banking systems for their security and resilience. The results of these audits are analyzed and taken into account by our IT teams so that the auditing company can issue us a certificate demonstrating our high security levels.
The results of these audits are analyzed and taken into account by our IT teams so that the auditing company can issue us a certificate demonstratinga our high security levels. This international recognition attests to our compliance with strict information security standards, thus ensuring the confidentiality and integrity of our users’ data.
If you would like to know more about the details of this certification, we invite you to visit our dedicated page for additional information.
Since its creation, Doctena has not experienced any security breach!