PRIVACY POLICY
Document Medical
Trust & Security
Document LLC prides ourselves on our commitment to security so that we can safely deliver results
that make a difference in the lives of physicians. We have enacted several types of security
procedures around our product, the making of it, and how we handle data that is produced.
Our systems have facilitated tens of thousands of medical notes for our customers while
maintaining over 99% uptime, and we want to ensure that our doctors and their patients feel
safe and secure when using our service. Document LLC employs industry-leading security measures to help ensure the authenticity, integrity, and privacy of data, both at rest and in transit.
Customer Data Protection
• Document LLC's products are accessed across the Internet from secure and encrypted
connections (TLS 1.0-1.2) using high-grade 2048 bit certificates.
• Each customer’s data is logically separated with unique organization identities. Data is encrypted at rest automatically by our cloud infrastructure.
• Individual user sessions are protected by unique session tokens.
Application Security
• Document LLC SDLC process ensures QA is performed before release.
Document LLC also scans the codefor security vulnerabilities before deployment.
• Document LLC's SaaS services are based on proven and secure Open Source solutions and
custom applications.
• Applications and servers are regularly patched to provide ongoing protection from exploits.
• Dynamic application analysis is performed regularly.
• Third party application penetration testing has been completed and will be conducted on a regular semi-annual cadence.
Physical and Environmental Security
• Our solution is hosted on Microsoft Azure Cloud Platform. Microsoft Azure provides for world class physical and environmental controls that are documented and attested for in its SOC2 Type 2 report by an independent auditing firm. Physical security in our office includes badged access and security cameras. All workstations have antimalware and encryption.
Network Access Controls
• The solution uses public cloud services, is hosted within its own VPC and access to the applications is protected with virtual firewalls.
• Access to Document LLC infrastructure requires multi-factor authentication and extensive
access monitoring.
Security Monitoring
• All access to the solution is logged and sent to a Security Incident and Event Management (SIEM) solution for analysis and monitoring.
• Any suspected security incident is immediately analyzed and reported upon. Root cause analysis is completed and any remediation action is taken. Tickets are logged to track medium or long term changes, if any required.
Regulatory Compliance
• Document LLC’s governance structure ensures compliance towards applicable laws and regulations. New and emerging regulations are tracked for compliance. Document LLC is planning for a SOC2 Type 1 attestation. Data security and HIPAA compliance are our top priority. To satisfy data privacy requirements, data is maintained in Microsoft Auzure’s US data centers.
Administrative Controls
• Document LLC’s information security governance structure includes a designated Head of
Security and an Executive Risk Committee.
• Security policies are documented and updated annually. Current list of approved
policies includes:
o Overarching information security policies around: awareness and training,
access controls, security monitoring and auditing, incident reporting
o Overarching privacy policy around: permitted uses and disclosures,
complaints, subcontractors and audits
o Breach notification policy
o Records retention and destruction policy
o Sanction policy
o SDLC policy
o Business continuity and disaster recovery policy
• Security policies require that access to cloud infrastructure and customer data is restricted to authorized personnel, follow documented processes, logged and tracked for auditing purposes.
• All employees undergo an extensive background check as a condition of
employment.
• All new hires undergo security and privacy and specifically HIPAA training. Annual refresher ensures the level of awareness and training is maintained.