There is only one owner of your data: you are. YOU!

Hence, Docty does not retain any form of your data.

As a special note, docty does not trade, share, or lease your information to any other party.

Docty has strict measures in place so that data isn’t compromised at any time.

Your data has only one owner who must be granted the ability to delete your data. YOU!

256-bit

encryption

ISO 27001

certified

HIPAA

compliant data centers

It should be mentioned that the company is ISO 27001 certified.

Docty has been accredited by BSI— a British professional and certified body in the field of information security standards — that guarantees the protection of its information within the scope of confidentiality, availability, and information integrity.

Safe organizational practices are guaranteed by clients’ awareness and other access controls.

Protect processes through adequate discrete and effective administrative controls as well as supervision.

Strong technical controls are accompanied by regular vulnerability scans as well as penetration tests on the systems.

Data security for patients

K

The customer believes that the data belongs to her/him and therefore should not be shared with anyone else.

K

None of the users at Docty can see what user data looks like.

K

We create chatbots to help you but we never send you messages for any reason if you didn’t permit us to.

K

We send promotional messages with an option to unsubscribe from any future messages, from our database.

K

You will be glad to know that MChen does not disclose any data to any third party.

Data security for doctors

K

You should understand that we cannot read or view the data of your practice.

K

Here, we do not disclose any of the data with a third-party

K

Thus, doctors remain in full control to determine what has to be communicated to their patients.

K

We keep tight control over data to ensure that the users’ privacy and safety are well protected.

Certain special characteristics of both private and hybrid clouds

All Docty products provide data security and privacy to safeguard the user’s information.

We never send promotions to your walk-in patients

Regardless of the type of treatment you offer your patients, this note from our platform ensures that we never send promotions to your walk-in patients.
I wish to clarify that as per our privacy policy, we don’t contact your walk-in patients or send any commercial communication to them. This means that for any patient to be promoted in any way by any of us, they will have to check the Docty site. Another way is when they self-register on the website of educator. com. cn or download our app independently and have the authority to allow us to communicate with them. As if, Docty does not have any control over the patient database you store in Ray whatsoever.

Your data has multiple encrypted backups

Your data has several backups which are in turn encrypted.
All data is backed up and versioned several times at several secure sites, anywhere from five to ten data replicas are kept in other parts of the globe. We also use here another intelligent option well known as point-in-time recovery to retrieve the data from a particular time frame.

We don’t sell your data

Last but not least, we are certainly not in the business of selling your data.
We understand the importance of healthcare information and the privacy and protection of such data in the utmost manner. We do whatever we can to maintain it and will under no circumstances share it with anyone.

We never mix doctors’ data with patients’ data

It should be noted that we do not allow overlapping of doctors’ data with the data of patients.

A personal and safe place for your records of health.

It is the main security interest of every choice we take at Docty to maintain the data safe.

Your data is confidential we won’t share it with anyone.

All the information and data that you share in the Docty app are fully confidential. Only the owner and perhaps whoever he or she may allow can have a way with it. This gives you an unprecedented level of control so you are the only person that gets to decide who sees what.

All is secure using the 256-bit encryption.

In a similar manner that Docty applies global standards, these sites are protected from other users gaining unlawful access to your information. It is also always safeguarded through several layers of security (with network-layer encryption being a 256-bit one).

The main goal of two-factor authentication is to avoid such actions and exclude unauthorized access to the user’s account.

Extra measures are good. Still, we allow you to turn on the two-factor authentication so that your data is protected from any unauthorized access by other people.

Especially in withdrawal, remote logout prevents other unauthorized login attempts.

Every time a new device connects to your account, Docty alerts you to this action so that you can check the activity list and sign out if wished.

FAQs

Regarding data Security and privacy, what does Docty think about them?

We take data security and privacy extremely seriously at Docty. It is one of the foundational pillars of our company and is implemented at the core of every product.

We hold that your healthcare data is the most sensitive personal information that you carry, and hence it requires proper protection. Docty collects or uses any personal or sensitive personal information belonging to you only after obtaining appropriate and clear consent from you. Further, we understand that people change their minds; therefore, no consent is permanent and our systems are built with flexibility so that any consent given can later be revoked.

That is why, in all our products, patients and providers are to be in control of deciding what to share and what to keep secret.

Where does Docty get its data from?

2. First, our data is stored with 256 bit encryption on HIPAA compliant servers. More importantly, we are an ISO27001:2013 certified company. This certification is one among the most recognized and stringent information security certifications that validate efforts a company makes toward protecting data and all kinds of information assets.

We have two different types of data sets. One involves health care providers making use of our software for holding information regarding the patients they are attending to. This information could include patient information, a diagnosis, treatment plan, any clinical notes, communication, and other details. All this is held on behalf of the provider and cannot be accessed by Docty. It’s stored privately and securely for every provider using our software.

The other dataset is when the patients are coming directly to Docty and using Docty to store their health history or even doing a healthcare transaction like booking an appointment, online consultation, and more. All this data is stored on behalf of the patient, and this too is stored with 256-bit encryption and HIPAA compliant servers. Any patient who uses our service gives us permission to contact him/her, from time to time with marketing and/or other communications which he/she can opt out of when he/she chooses to.

I am a doctor using your Ray software, what kind of access do you have to my data stored in Ray?

Docty does not have access to the data stored in Ray.

If you don’t have any access to data in Ray, how can you send those appointment confirmation or feedback collection SMSes to my walk-in patients?
To be clear: we develop the technology that lets YOU send the SMSes. So while our systems are sending the SMS, only the doctor who has explicitly allowed the system to do so can send them. These can be toggled in the settings tab in your Ray software. By allowing this feature and/or this does not enable Docty to obtain any other part of your data other than what is needed to successfully send the SMS. Also, it doesn’t give Docty permission of Docty reaching out to the patient for any reason other than that too. Moreover, all this is done through an automated system and cannot be done by human intervention or involvement.

For example, let’s assume you have turned the option to send a confirmation SMS for an appointment for your walk-in patient. It will go ahead and take that patient’s phone number, find the appointment detail that you’ve confirmed and sends that information to that patient. Over and above this, Docty is not vested with any rights to send any other form of message or communication or get in contact with the patient for any reason whatsoever. Moreover, you can, at any time, revoke even this facility by simply changing the settings inside Ray.

How do you distinguish between patients who come to me directly and patients who come to me by booking via Docty website or app? For both of them, what data can you access?
We also take the onus very seriously since millions of patients and hundreds of thousands of providers trust us with data.

We have always drawn a very clear distinction between sets of data pertaining to users who directly visit Docty.com (“Online Patients”) and those that visit a clinic and are walk-in patients of the doctor (“Walk-in Patients”). The separated infrastructure, along with firewalls on Ray, does not allow Docty.com to access data from Docty Ray.

Online patients: These are the patients who enroll with Docty by either using our website, Docty.com, or our app and then call or book an appointment with any of the affiliated clinics. Each one of these patients, separately, grants us permission to reach out to them about any communication that is relevant for rendering services along with availing new products or services. Docty has no access to personally identifiable health information of patients.

Walk-In Patients: In case the patients come walking into the clinic and the doctor is putting their details in our software such as Ray, then Docty will not get any access to that information. The rights to get in touch with that patient will not be created by putting the patient’s details in Ray. Additionally, Docty will not have also access to personally identifiable health information of those patients too. We believe this is highly important and therefore have committed to every provider by writing it into our terms of service.

I had a walk-in patient who received marketing communication from Docty. How is this possible?
There is no chance that your walk-in patient will get promotional communication from Docty. This is possible only if this patient who was walk-in in your clinic, subsequently independently goes to Docty.com and registers himself with Docty. At this stage, he gives us his consent that Docty can reach him with promotional material. Only when direct permission has been received from the patient when he decided to visit our website do we correspond with him/her.

Unless your walk-in patient visits Docty independently and grants permission to us, he will not receive any marketing communication from Docty. They will only get that which you have enabled in your settings in Ray. Should you want to view those settings, click here to log into Ray and see what’s enabled under your settings.

My patients complain of receiving marketing communication from other healthcare companies as soon as they registered at my clinic. Do you sell data?
Never. We don’t sell any patient data – whether it is for walk-in patients or for our online patients with any third party. We also do not allow third parties to market to any user of Docty through us. We are not responsible for any promotional communications received by patients from other vendors. We recommend you inform patients to immediately report such marketing campaigns to TRAI for necessary action by the regulator.
Have you ever faced a data breach?
No we have not. We will continue to work very hard to ensure that data stored with Docty remains secure.
Is my data really safe with Docty?

Absolutely. Docty is amongst the safest places for you to store your healthcare information and that of your patients.

We have a variety of measures that protect your data, some of which are:

1. HIPAA Compliant servers: All data is stored in HIPAA compliant servers
2. Encryption: All data is encrypted with 256 bit encryption during transit and at rest.
3. Two Factor: We have implemented Two-factor authentication to protect against foul-play.
4. Access Zones: We have implemented access zones that prohibit access to information from locations not specified by the user. This ensures that even if the authentication information leaks, access can only happen from the physical locations specified by the user.
5. Role Based Profiles: A doctor/clinic owner can set up different profiles for their staff with different levels of information access. This ensures that only the doctor has access to the patient files while the staff access is restricted to the clinic operations rather than the patient information.
6. Data Backup: We take multiple backups of your data and it is kept in geographically distributed locations to make sure you never have any data loss. Even in the event of a natural disaster in one geography, your data remains safe and can be recovered.
7. No Virus: Since all your data is stored in cloud, it protects you from any local virus that your computer might have, so the only virus you have to deal with is those affecting your patients 🙂

What specific measures do you use to ensure security of data stored with you?

We have a variety of measures that protect your data, some of which are:
1. HIPAA Compliance: All data is stored in HIPAA compliant servers ensuring industry standard consent architecture and privacy policies.
2. Encryption: All data is encrypted with 256 bit encryption during transit and at rest.
3. Two Factor: We have implemented Two-factor authentication to safeguard against foul play.
4. Access Zones: We have implemented access zones that prohibit access to information from locations not specified by the user. This ensures that even if the authentication information leaks, access can only happen from the physical locations specified by the user.
5. Role Based Profiles: A doctor/clinic owner can set up different profiles for their staff with different levels of information access. This ensures that only the doctor has access to the patient files while the staff access is restricted to the clinic operations rather than the patient information.
6. Data Backup: We take multiple backups of your data to make sure you never have any data loss and even in terms of a natural disaster in one geography, your data can be recovered

My offline patients receive SMS from Docty software which mentions Docty and that leads them to your website/app. They are not your direct online patients. How can you market to them?

We have some services – for example, appointment reminders or electronic record sharing, through which a doctor may share records with his/her patient. In this case, if he does that, then we send a message to the patient with a link to access that record. But if the doctor doesn’t want such a link to be included in those SMS, he can opt out of it.

I have been asking my patients to go to Docty and book appointment with me there. They are still my patients and not Docty, hence can you market to them?

Merely visiting Docty.com is not enough. To receive marketing messages from Docty, a patient must visit us, register for an account and gives his permission to market him. Only once they have given us their permission do we market to them.

Moreover, the database carrying Ray data is sitting on a different platform than that which Docty.com uses. Under our terms of service agreed upon with you, Docty will not be able to have access to the data in the Ray database. We cannot eliminate any patient who visit Docty.com, as they may have been visiting you too in the past and their data may exist in the Ray database, as that will be breach of privacy and violation of our contract with you.

When I send my patients a prescription through Docty and when they open it, does that make them Docty direct online patients?

No. It does not.

When I ask my walk-in patients to give me a feedback - does that make them Docty direct online patients?

No. It does not.

If a Walk-in Patient downloads and signup through Docty app to view prescription etc. shared by the doctor does he/she becomes Online Patient?

When you share a prescription with a patient, he does not need to download the Docty app in order to view it. He just needs to click on the link you are sharing with him in order to see that prescription. If a patient downloads our app, and allows us to reach out directly, then we can.

What if I find a security vulnerability in any of your applications?
In case of the off-chance that you find a vulnerability, we do have a responsible security disclosure program that prescribes next course of action and we would love to hear from you and fix it at the earliest. Please check our Responsible Disclosure Policy and report them to us on developers@docty.ai
Is Docty compliant with the data security and privacy laws in India?

Of Course, docty complies with all applicable laws in every country it operates in.