Data Security

Encryption in Transit

All data transmitted between your devices and our servers is protected using industry-standard encryption:

• TLS 1.3: All web traffic uses Transport Layer Security (TLS) 1.3, the latest encryption protocol
• Perfect Forward Secrecy: Each session uses unique encryption keys, protecting past communications even if keys are compromised
• HTTPS Everywhere: All connections are secured with HTTPS, preventing man-in-the-middle attacks
• API Security: All API communications are encrypted and authenticated using secure tokens
• WhatsApp Integration: Messages transmitted through Twilio's secure infrastructure with end-to-end encryption

Encryption at Rest

All data stored in our databases and storage systems is encrypted:

• AES-256 Encryption: Advanced Encryption Standard with 256-bit keys—the same standard used by banks and governments
• Database Encryption: All databases encrypt data at the field level, protecting sensitive information
• Backup Encryption: All backups are encrypted before storage, ensuring data remains protected even in backup systems
• File Storage: Uploaded files, documents, and images are encrypted before storage

Key Management

• Encryption keys are managed using industry-standard Key Management Services (KMS)
• Keys are rotated regularly according to security best practices
• Key access is strictly controlled and logged
• Keys never leave secure, encrypted storage

Authentication

• Strong Password Requirements: Minimum complexity requirements, password length, and character variety
• Multi-Factor Authentication (MFA): Required for all accounts, adding an extra layer of security beyond passwords
• Single Sign-On (SSO): Enterprise customers can integrate with their existing identity providers
• Session Management: Secure session tokens with automatic expiration after inactivity
• Account Lockout: Protection against brute-force attacks with temporary account lockout after failed attempts

Authorization

• Role-Based Access Control (RBAC): Users are granted access based on their role and responsibilities
• Principle of Least Privilege: Users only have access to data and features necessary for their job function
• Granular Permissions: Fine-grained control over what users can view, edit, or delete
• Patient Data Isolation: Healthcare providers can only access their own patient data, not data from other clinics

Employee Access

• TDAppointments employees only access customer data when necessary for support or maintenance
• All employee access is logged, monitored, and requires approval
• Background checks are conducted for employees with access to sensitive data
• Regular access reviews ensure employees only have access they need

Cloud Infrastructure

• HIPAA-Compliant Hosting: Data is hosted in HIPAA-compliant, SOC 2 Type II certified cloud data centers
• Redundant Infrastructure: Multiple data centers ensure high availability and disaster recovery
• 99.9% Uptime SLA: Guaranteed service availability with redundant systems and automatic failover
• Geographic Redundancy: Data is replicated across multiple geographic regions for disaster recovery
• DDoS Protection: Advanced Distributed Denial of Service (DDoS) protection prevents service disruptions

Network Security

• Firewalls: Multi-layer firewall protection with strict access rules
• Network Segmentation: Isolated network segments limit access to sensitive systems
• Intrusion Detection: Real-time monitoring detects and prevents unauthorized access attempts
• VPN Access: Employee access to infrastructure requires secure VPN connections
• Regular Security Updates: All systems are patched regularly to address known vulnerabilities

Physical Security

• Data centers are secured with 24/7 physical security monitoring
• Access requires biometric authentication and multi-factor verification
• All access to data centers is logged and audited
• Environmental controls protect against fire, floods, and other disasters
• Backup power generators ensure continuous operation during power outages

Data Backup and Recovery

Comprehensive backup and recovery procedures ensure your data is never lost:

• Automated Daily Backups: Full database backups are performed daily and stored securely
• Point-in-Time Recovery: Database transaction logs enable recovery to any point in time
• Encrypted Backups: All backups are encrypted before storage, matching production security
• Offsite Storage: Backups are stored in separate geographic locations for disaster recovery
• Retention Period: Backups are retained for a minimum of 30 days, with longer retention available
• Regular Testing: Backup and recovery procedures are tested regularly to ensure they work correctly
• Recovery Time Objective (RTO): Less than 4 hours to restore service after a disaster
• Recovery Point Objective (RPO): Maximum data loss of 1 hour in the event of a disaster

Security Monitoring

• 24/7 Security Operations Center: Continuous monitoring of security events and threats
• Real-Time Alerts: Immediate notifications for suspicious activity or security incidents
• Threat Intelligence: Integration with threat intelligence feeds to detect emerging threats
• Anomaly Detection: Machine learning algorithms detect unusual patterns that may indicate attacks

Comprehensive Logging

• All access to PHI and sensitive data is logged with timestamp, user, and action
• Audit logs are tamper-proof and cannot be modified or deleted
• Logs are retained for a minimum of 6 years as required by healthcare regulations
• Regular log reviews identify unauthorized access or policy violations
• Logs are encrypted and stored securely

Security Testing and Assessments

We regularly test and assess our security measures:

• Penetration Testing: Annual third-party penetration testing by certified security professionals
• Vulnerability Scanning: Automated vulnerability scans are performed weekly
• Code Security Reviews: All code changes are reviewed for security issues before deployment
• Security Audits: Annual SOC 2 Type II audits validate our security controls
• Bug Bounty Program: Security researchers are rewarded for responsibly reporting vulnerabilities
• Third-Party Security Assessments: Independent security firms assess our security posture

Compliance and Certifications

Our security program complies with industry standards and regulations:

• HIPAA: Compliant with Health Insurance Portability and Accountability Act requirements
• SOC 2 Type II: Annual audits validate our security, availability, and confidentiality controls
• GDPR: Compliant with General Data Protection Regulation for European users
• ISO 27001: Security management system aligned with ISO 27001 standards
• PCI DSS: Payment processing complies with Payment Card Industry Data Security Standards

We have a comprehensive incident response plan to quickly address security incidents:

• Incident Detection: Automated systems and security team monitor for security incidents
• Response Team: Dedicated security incident response team available 24/7
• Containment: Immediate steps to contain and limit the impact of security incidents
• Investigation: Thorough investigation to understand the cause and scope of incidents
• Remediation: Prompt remediation to eliminate threats and prevent recurrence
• Notification: Affected customers are notified within 72 hours of discovering a security incident
• Documentation: All incidents are documented and lessons learned are incorporated into security improvements

Your Role in Security

Security is a shared responsibility. You can help protect your data by:

• Using strong, unique passwords and enabling multi-factor authentication
• Limiting access to your account to authorized personnel only
• Keeping your devices and browsers updated with the latest security patches
• Not sharing your account credentials with others
• Logging out of shared or public computers
• Reporting suspicious activity or security concerns immediately
• Regularly reviewing access logs and user permissions
• Educating your team about security best practices