Doximity was created to simplify and support the work of healthcare providers. Our platform is secure, facilitating encrypted, HIPAA-compliant communications with patients.
Doximity’s team of security professionals ensure that our platforms and data are always protected by being SOC 2 Type 2 and HIPAA/HITECH certified. We conduct a variety of recurring security processes such as risk assessments, penetration testing (using internal testers and external firms), and white-box testing (with security researchers and security professionals).
Doximity’s platform allows healthcare professionals to securely communicate while maintaining compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). All Doximity employees and contractors who work on our systems that facilitate healthcare communications are required to complete ongoing HIPAA and security training.
We verify the identity of all members upon registration and only verified members have access to Doximity’s full feature set. We leverage an industry-standard identity management solution to serve challenge questions and have a support team to manually review members’ licensure. Please see Doximity Terms of Service for more information.
Business Associate Agreement
We enter into a Business Associate Agreement with each individual user upon registration. Additionally, we include an institutional BAA as part of our enterprise solutions. Contact us at email@example.com for more info on how we partner with hospitals and health systems
Doximity employs industry-leading encryption standards to protect all data in transit and at rest. All requests are made over TLS 1.2. Video call media is encrypted on transmission over a DTLS/SRTP connection. Personal Health Information (PHI) is encrypted at rest using 256-AES encryption and any databases containing PHI are further encrypted with Amazon Web Services (AWS) Key Management Service.
Doximity utilizes intrusion detection systems to monitor our applications and infrastructure; including but not limited to WAF (Web Application Firewall), RASP (Runtime Application Self-Protection) and brute-force detection. Intrusion attempts are blocked immediately.
Logging & Monitoring
Doximity employs multiple logging and monitoring strategies to ensure that alerts are raised and resolved promptly. Access (who/when/how often) is monitored at the individual user level. Engineers have access to databases and servers with varying, limited permissions depending on role and following the least access principle. All logs including auth.log are shipped out to an external service to prevent any tampering with auth logs.
Doximity operates on servers colocated in US facilities that leverage numerous physical and security control measures. All equipment is stored in cages with three-factor access (handprint, keycard and passcode) accessed through a single door monitored by 24/7 security cameras with video stored offsite. The facilities also employ controls to effectively maintain proper temperatures and ensure a stable and secure environment.
Reporting Security Issues
We work with security researchers to stay up to date on the latest technologies and trends in web security. If you discovered a web security flaw that may impact our products, please report it to us now.
Currently, we run a private HackerOne program. If you want to report a vulnerability please reach out to firstname.lastname@example.org and request a HackerOne program invitation.
For more information on how we protect our members’ privacy and security, contact us at email@example.com.