Last updated 14 June 2026

Trust, built on evidence.

Our information security management system is certified against ISO/IEC 27001:2022, we apply the GDPR by design, patient data is hosted in the EU, and an independent external Data Protection Officer oversees our privacy programme. This Trust Center is where we show the evidence.

Security posture

What reviewers check first, answered up front.

The control areas most vendor security reviews start with, summarised here. Every line links to the page that substantiates it.

  • Data security

    • AES-256 encryption at rest, TLS 1.3 in transit
    • Daily encrypted backups on a rolling 30-day retention
    • Customer data deleted at the end of the contract
    Security overview
  • Infrastructure

    • AWS Frankfurt (eu-central-1) as the primary region
    • Encrypted disaster-recovery copies in a second EU region (Ireland)
    • Live service status, published openly
    status.doctena.com
  • Access control

    • MFA mandatory for all access to code, infrastructure and production data
    • Least-privilege, role-based access to production
    • Access reviews carried out regularly
    Security overview
  • Application security

    • Annual penetration test by an independent third party
    • Dependency and static analysis on every change
    • Coordinated vulnerability disclosure programme
    Responsible disclosure
  • Organisational

    • ISO 27001 policy set applied across the company
    • Security training for every employee, from week one
    • Customers notified of personal-data breaches without undue delay
    ISO 27001 programme
  • More to explore

    A page reviewers often ask about next: where we use AI across the Doctena platform.

Documents

Evidence, in two tiers.

Most of what a security review needs is public and self-serve. Sensitive evidence is shared by email under NDA. The ISO 27001 certificate is freely downloadable from the ISO 27001 page.

Tier 2, on request

By email, on request

Email us and we respond within two business days.

  • Penetration-test executive summary
  • Statement of Applicability

Updates

Maintained, not archived.

Latest entry: 14 June 2026, new Trust Center website and full content review. [email protected] to be added to our change-notification list.

Talk to us

Something not covered here?

For specific contractual questions, vendor risk assessments, custom DPAs, or audit reports, reach out directly. We respond to most enterprise procurement queries within two business days.