homedoctor has an ISO 27001 compliance certificate and its Information Security Management System has been certified under the National Security Scheme (ENS) in MEDIUM category and in compliance with the European NIS2 directive.

Access our complete Security Policy by clicking here.

Additionally, and in compliance with the MDR (EU) 2017/745 Regulation, we implement additional security standards for our medical device (software) under ISO 62304, ISO 82304, and ISO 14971 standards.

Web and Mobile Application Development

At homedoctor we are committed to the design, creation and maintenance of secure systems, as well as the complete security management throughout the software development life cycle.

• Our homedoctor Medisoft solution is classified as Class IIa under regulation (EU) 2017/745 and certified with number 179/MDR by the IMQ entity. Therefore, it complies with the strictest security standards throughout the software life cycle in compliance with ISO 62304 and ISO 82304, as well as ISO 14971.
• homedoctor holds a medical device (software) manufacturing license as well as an import and/or grouping license No. 7524-PS from the Spanish Agency of Medicines and Medical Devices.
• Our application complies with ISO 13485 quality management standard applicable to medical devices, throughout the software life cycle, for which it is certified by the IMQ entity.
• All developments are periodically analyzed to review common security vulnerabilities, such as the OWASP Top 10 document.
• Periodic training on Secure Coding Practices is offered. All engineers must attend the training sessions.
• The homedoctor security team periodically audits the use of encryption for the storage and transmission of confidential information.
• All web and mobile applications are developed, tested, implemented, and maintained by an internal team of full-time engineers.

System Security

The homedoctor production systems are hosted on AWS, complying with the strictest security standards and best practices.

• PCI-DSS Level 1 Service Provider
• ISO 27001 certified
• Independent reviews and audits
• SAS-70 Type II and SSAE16
• Amazon AWS PCI compliance site
• Additionally, homedoctor performs periodic penetration tests and security audits to ensure the security and integrity of the systems.
• All production systems have automatic load balancing and auto-scaling, and are segregated into networks and zones for complete availability.
• homedoctor has Continuity and Contingency Plans that guarantee 98% availability.

Encryption

homedoctor uses secure encryption methods and key management procedures to ensure the protection of your confidential information.

• homedoctor APIs and website can be accessed via a 256-bit SSL certificate.
• homedoctor tries to ensure that the fewest possible employees have access to encryption keys.
• homedoctor has an advanced cryptographic controls policy that is evaluated and tested by external auditors.
• Encryption methods are part of the periodic penetration tests that homedoctor performs on its systems and software.

Supplier Security

In compliance with the MDR (EU 2017/745) regulation, for which we hold a compliance certificate, we validate each supplier with strict security requirements.

• All suppliers that store or process any data considered personal must be certified under ISO 27001 Information Security standard.
• All suppliers that store or process any data considered personal must be located within the European Union, store the data within it, and not transfer it to third parties, in compliance with the Data Protection Regulation (GDPR).
• Critical suppliers related to availability must also have a Quality Management System (ISO13485 and/or ISO9001) and Security, Contingency and Continuity Plans aligned with ISO27001.
• All critical suppliers related to Medical Devices must have a Quality Management System certified under ISO13485 in compliance with European MDR regulations.
• All imported products comply with current regulations and legality in the European Union regarding their CE marking and applicable regulations.
• All suppliers have been verified and audited by our security specialists to validate that they meet the requirements.

Payment Security

homedoctor processes payments through the Stripe platform, which complies with PCI-DSS 3.2.1 Level 1 as a Merchant and as a Service Provider.

• A PCI-certified auditor evaluated Stripe and certified them with PCI Level 1 for service providers. This is the most stringent level of certification available in the payments industry. This audit includes Stripe's card data storage (CDV) and secure software development of their integration code.
• Stripe's systems, processes, and controls are regularly audited as part of SOC 1 and SOC 2 compliance programs.
• You can find more information about security at Stripe using this link.

Privacy

homedoctor maintains a comprehensive privacy program. For us, this means that, although laws or regulations oblige us to do certain things, we are continuously evaluating whether we can and should do more.

• We do not sell our customers' personal information to third parties.
• We have a complete legal and security team that deals with privacy and security issues.

You can find our privacy policy at: www.homedoctor.es/politica-privacidad.

Our Organization

homedoctor has taken appropriate measures to vet our employees.

• All employees undergo reference checks, training, and other personal background checks. Some employees also undergo detailed background checks.
• homedoctor has an information security training program that complies with the standards of NIS2 and ENS regulations, as well as ISO 27001 standards.
• We have full-time security personnel with advanced knowledge and specialized security training on our staff.
• Employees must acknowledge in writing their roles and responsibilities regarding data protection and user privacy.

Incident Response

While we do our best to prevent security breaches or incidents in our systems, we know that no computer system is 100% secure.

• homedoctor has a Security and Compliance Committee responsible for managing, evaluating, investigating, and resolving security incidents, as well as supervising and controlling the Integrated Management System that encompasses all applicable regulations.
• homedoctor has an advanced Continuity and Disaster Recovery Plan following the best practices of ISO27001, ENS and other applicable standards (backups, alternative plans, redundancies...). This plan is validated and periodically verified.
• In case of a security breach in a homedoctor information system, we have an incident response plan.
• Periodic testing of the response plan.
• homedoctor continuously monitors its security systems and alerts.
• However, if you have detected an anomaly or failure, or simply want more information about our security, you can contact security@homedoctor.es, where we will address your concerns.