Security
Security posture
Plain language about how Docuity protects data — including the limits. We would rather under-claim than over-promise.
Last updated: 17 July 2026
Transport & application security
- All traffic is served over TLS with HSTS enabled; plain HTTP is not offered.
- Every app sends restrictive security headers: a per-app Content-Security-Policy,
frame-ancestors 'none'(no embedding), andX-Content-Type-Options: nosniff. - All state-changing requests are checked against the app's own exact origin (CSRF protection), with additional per-form tokens on sensitive flows such as credential changes and prescription actions.
- Rate limits protect every credential and public endpoint.
Accounts & sessions
- Sign-in happens only in Docuity ID. Apps never see your password — passkeys (WebAuthn) are the preferred method, with password and magic-link fallbacks.
- Sessions are Ed25519-signed tokens combined with a server-side revocation check, so “log out everywhere” takes effect immediately. Sessions expire after 30 days with no silent sliding renewal.
- Sensitive account actions (removing a passkey, changing email or password) require recent re-authentication.
Data at rest
- Especially sensitive fields — two-factor secrets in Docuity ID and message bodies in Docuity Messages — are encrypted at rest with AES-256-GCM under rotatable keys.
- Honest limit: this is server-side encryption. The server holds the keys and can decrypt; Docuity Messages is not end-to-end encrypted, and we will not describe it as such.
- Database backups run daily; the most recent seven are retained.
Audit trails
- Patient-data access in EHR, prescription lifecycle events in Rx, authentication events in ID, and membership/admin changes in Messages are written to append-only, hash-chained audit logs whose database permissions do not allow updates or deletes.
- Honest limit: hash-chaining makes tampering detectable by verification, not impossible — we say “externally verifiable”, never “tamper-proof”.
Self-hosting
Every Docuity app ships as a container image and runs against one PostgreSQL and one Redis instance. If you self-host, all of the above applies to your deployment and no data flows to us.
What we do NOT claim
- No certifications: Docuity is not “HIPAA certified” (no such certification exists), and we hold no SOC 2 or ISO 27001 attestation today.
- We do not currently sign Business Associate Agreements (BAAs).
- No end-to-end encryption claims — see above.
- We describe our approach as HIPAA-informed controls, GDPR-aligned, self-hostable — nothing more.
Reporting a vulnerability
If you believe you have found a security issue, contact the Docuity operator (contact details are published on the About page of the instance you use). Please include steps to reproduce; we ask for reasonable time to remediate before public disclosure.