Data Protection & Security Policy
Effective Date: 18 Aug 2025
Last Updated: 19 Nov 2025
Doxmate is a healthcare-focused AI appointment automation platform operated by Brainox Tech. We prioritize the confidentiality, integrity, and availability of patient, clinic, and organizational data. This Data Protection & Security Policy describes how Doxmate safeguards the data entrusted to us.
This policy applies to all Doxmate services, including the admin dashboard, embedded signup, WhatsApp Cloud API workflows, and all backend systems.
1. Scope of the Policy
This policy applies to:
- Clinic and hospital data
- Patient appointment-related data
- Staff user accounts and credentials
- WhatsApp Cloud API messages processed by Doxmate
- Data stored, transmitted, or processed by any Doxmate service
This policy covers digital systems, cloud infrastructure, AI automation workflows, and operational procedures.
2. Data Classification
Doxmate processes administrative healthcare data, such as:
- Patient name
- Phone number
- Appointment time/date
- Rescheduling instructions
- Reminder delivery logs
Doxmate does NOT request or store:
- Medical histories
- Prescriptions
- Diagnoses
- Test results
- Clinical notes
- Sensitive health or biometric data
This aligns with strict privacy minimization standards.
3. Compliance Framework
Doxmate aligns with:
- GDPR (EU privacy regulation)
- HIPAA-aligned technical safeguards (where applicable)
- ISO 27001 principles
- Meta/WhatsApp Cloud API policies
- Indian IT Act & Data Privacy Rules
- Industry-standard cybersecurity practices
We continuously review our systems to meet evolving regulatory requirements.
4. Security Measures
A. Encryption
- In transit: TLS 1.2+ encryption for all communication between clients, backend systems, and WhatsApp API
- At rest: AES-256 encryption for all stored data, including backups
- WhatsApp messages are encrypted through Meta’s secure protocols
B. Cloud Security (AWS)
Doxmate uses AWS as a secure hosting provider, leveraging:
- VPC isolation
- IAM role-based permissions
- Security groups & firewall rules
- Encrypted EBS volumes
- Automated backups
- Region-specific data storage where required
AWS provides certifications such as SOC 2, ISO 27001, and HIPAA-eligible services.
C. Access Control
- Role-Based Access Control (RBAC) enforced across all systems
- Multi-Factor Authentication (MFA) required for admin users
- Least-privilege access for staff
- Activity logging for all critical admin actions
D. Network & Application Security
- DDoS protection via AWS
- Web Application Firewall (WAF)
- Input validation & sanitization to prevent injection attacks
- Rate-limiters to protect APIs from abuse
- Continuous monitoring of performance, uptime, and anomalies
5. Organizational Security
- Background checks for relevant employees
- Mandatory privacy & security training for staff
- Strict internal access restrictions
- Confidentiality agreements with employees & contractors
- Regular security audits and internal reviews
6. WhatsApp Cloud API Security
Doxmate integrates with WhatsApp Cloud API under Meta’s security framework:
- All messages encrypted and transferred securely
- Meta never accesses patient data beyond message transmission
- Templates and communication flows comply with WhatsApp Business Policies
- No unauthorized bulk messaging or marketing is permitted
7. Data Retention & Deletion
- Appointment data is retained only while needed for clinic operations or as configured by the clinic
- Patients and clinics may request deletion of stored data at any time (see Data Deletion Policy)
- Backup data may be retained for up to 30 days before automatic purge
- Logs needed for security or legal compliance may be retained as allowed by law
Clinics may also request full account and data offboarding.
8. Incident Response & Breach Handling
We maintain a formal Incident Response Plan:
- Continuous monitoring for suspicious activity
- Immediate isolation of affected systems
- Investigation and root-cause analysis
- Notification to impacted clinics and relevant authorities when required
- Remediation to prevent future incidents
For GDPR jurisdictions: breach notifications occur within 72 hours, where legally required.
9. User Responsibilities (Clinics & Staff)
Clinics using Doxmate must:
- Ensure only authorized staff access the dashboard
- Maintain secure passwords and enable MFA
- Avoid sending sensitive medical data through WhatsApp
- Follow applicable privacy laws (e.g., GDPR/HIPAA)
- Ensure legitimate patient consent for communication
Clinics are responsible for patient data accuracy and for complying with legal requirements when processing patient data.
10. Third-Party Subprocessors
Doxmate relies on secure third-party partners including:
- Meta / WhatsApp Cloud API
- Amazon Web Services (AWS)
- Payment processors (Stripe/Razorpay if used)
- Analytics & monitoring providers
All subprocessors follow strict data protection agreements and may only process data as instructed by Brainox Tech.
A list of active subprocessors is available upon request at:
privacy@brainoxtech.com
11. Cross-Border Data Transfers
Data may be processed in AWS regions outside your country.
Where required by law, we rely on:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Contractual safeguards
By using Doxmate, you consent to such transfers where legally permissible.
12. Audit & Compliance Monitoring
Doxmate performs:
- Regular internal audits
- Third-party security reviews as needed
- Continuous monitoring of roles, permissions, and system access
- Assessments of third-party provider compliance
We maintain documentation to demonstrate control effectiveness.
13. Policy Updates
We may update this Data Protection & Security Policy as necessary to reflect:
- Regulatory changes
- Product updates
- Improved security standards
Updates will be posted with the revised “Last Updated” date.
Continued use of Doxmate indicates acceptance of any updates.
14. Contact Information
For privacy, data protection, or security-related inquiries:
Doxmate (by Brainox Tech)
Security Team: security@brainoxtech.com
Data Protection Office: privacy@brainoxtech.com
Support: support@doxmate.in
Website: https://www.doxmate.in