Trust, built on evidence.
Our information security management system is certified against ISO/IEC 27001:2022, we apply the GDPR by design, patient data is hosted in the EU, and an independent external Data Protection Officer oversees our privacy programme. This Trust Center is where we show the evidence.
Why you can trust Doctena
- Certified
ISO/IEC 27001:2022
Our information security management system is certified against ISO/IEC 27001:2022, covering the software factory and corporate functions. The certificate can be downloaded directly from the ISO 27001 page, no NDA required.
Open - GDPR & EU hosting
Patient data hosted in the EU
We apply the GDPR by design. Patient data is hosted on AWS in Frankfurt (eu-central-1), with encrypted disaster-recovery copies in a second EU region, AWS Ireland (eu-west-1).
Open - Data ethics
We don’t sell your data
Doctena’s business model is subscriptions paid by healthcare professionals. We do not sell your personal or health data.
Open
Security posture
What reviewers check first, answered up front.
The control areas most vendor security reviews start with, summarised here. Every line links to the page that substantiates it.
Data security
- AES-256 encryption at rest, TLS 1.3 in transit
- Daily encrypted backups on a rolling 30-day retention
- Customer data deleted at the end of the contract
Infrastructure
- AWS Frankfurt (eu-central-1) as the primary region
- Encrypted disaster-recovery copies in a second EU region (Ireland)
- Live service status, published openly
Access control
- MFA mandatory for all access to code, infrastructure and production data
- Least-privilege, role-based access to production
- Access reviews carried out regularly
Application security
- Annual penetration test by an independent third party
- Dependency and static analysis on every change
- Coordinated vulnerability disclosure programme
Organisational
- ISO 27001 policy set applied across the company
- Security training for every employee, from week one
- Customers notified of personal-data breaches without undue delay
More to explore
A page reviewers often ask about next: where we use AI across the Doctena platform.
By audience
Built for every reader.
A patient checking how your health data is handled, a practitioner contracting with Doctena, or a security officer reviewing a vendor, start here.
- For patients
How we handle your health data
What we collect, what we never share, and how to exercise your data subject rights, in plain language.
Open - For practitioners & clinics
Your contract and your obligations
The GDPR role model when you book patients through Doctena, the Data Processing Agreement, and the sub-processors that act on your behalf.
Open - For security & procurement
Run your vendor review from here
Certifications, encryption posture, sub-processor register and incident commitments, with sensitive evidence available on request.
Open
Documents
Evidence, in two tiers.
Most of what a security review needs is public and self-serve. Sensitive evidence is shared by email under NDA. The ISO 27001 certificate is freely downloadable from the ISO 27001 page.
Self-serve
Read online today. No account, no email gate.
By email, on request
Email us and we respond within two business days.
- Penetration-test executive summary
- Statement of Applicability
Explore
Find what you need in one click.
The six entry points covering the questions we hear most often from patients, practitioners, and our customers' procurement teams.
Privacy policy
How we collect, process and protect personal data.
OpenData protection (GDPR)
Our role model under the GDPR and your rights.
OpenSub-processors
Every supplier that touches patient or customer data.
OpenISO 27001:2022
Scope, Statement of Applicability, certificate.
OpenData Processing Agreement
The contract we sign with every healthcare professional.
OpenResponsible disclosure
Report a vulnerability through our coordinated channel.
Open
Updates
Maintained, not archived.
Latest entry: 14 June 2026, new Trust Center website and full content review. [email protected] to be added to our change-notification list.
Talk to us
Something not covered here?
For specific contractual questions, vendor risk assessments, custom DPAs, or audit reports, reach out directly. We respond to most enterprise procurement queries within two business days.