Security Overview

PracticPro is hosted on DigitalOcean in the United States. Production compute, databases, file storage, and encrypted backups all live within DigitalOcean's infrastructure. DigitalOcean maintains industry-standard physical security controls and is independently audited (SOC 2, ISO 27001).

All public traffic to PracticPro is routed through Cloudflare for TLS termination, DDoS protection, and content delivery. We enforce HTTPS-only access with HSTS preload.

In transit

All connections to and from PracticPro use TLS 1.2 or higher. We do not accept unencrypted connections. Internal service-to-service traffic is also encrypted.

At rest

Customer data stored in our production databases, file storage, and backups is encrypted at rest using industry-standard algorithms (AES-256). Encryption keys are managed by our infrastructure provider and rotated according to provider best practice.

Customer access to the application

Customer users authenticate with username and password and may enable multi-factor authentication. Within a customer account, access to records is governed by role-based permissions configurable by the account administrator.

PracticPro staff access to customer data

Access to customer data by PracticPro personnel is restricted to those with a documented business need (for example, to provide support requested by the customer or to investigate a security incident). Such access is logged.

Production system access

Direct access to production servers and databases is limited to a small set of authorized engineers, secured with strong authentication and audit logging.

• Cloudflare provides perimeter protection (DDoS, WAF, bot management) at the edge.
• Firewalls restrict ingress to production hosts to required ports only.
• Operating systems and dependencies are patched on a regular cadence; critical security patches are applied promptly after disclosure.
• Security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) are enforced on every response.

• Significant administrative actions affecting customer data are logged.
• Application logs and access logs are retained for operational and security purposes.
• Authentication events (sign-in, password change, failed attempts) are logged and monitored.
• Rate limiting and anomaly detection protect against credential-stuffing and brute-force attacks.

• PracticPro personnel are bound by written confidentiality obligations.
• Personnel with access to customer data receive privacy and security training.
• Access is provisioned on the principle of least privilege and revoked promptly on role change or departure.

Every third party that touches customer data is engaged under a written agreement that imposes data-protection obligations no less protective than those we owe our customers. The current list of sub-processors is published at practicpro.com/trust/sub-processors. We provide at least 30 days advance notice before adding a new sub-processor.

• Customer data is backed up automatically through DigitalOcean's managed backup service.
• Backups are encrypted at rest using the same standards as production data.
• Restoration procedures are documented and tested.

We maintain documented incident response procedures covering triage, containment, communication, remediation, and post-incident review.

In the event of a Personal Data Breach affecting a customer's data, we will notify the affected customer without undue delay, and in any event no later than 72 hours after becoming aware. Details of what the notice will contain are set out in Section 8 of our DPA.

To report a suspected security issue, see our Vulnerability Disclosure page.

• CSRF tokens are enforced on all state-changing requests.
• Parameterized queries are used to prevent SQL injection.
• Input validation and output encoding protect against XSS and injection attacks.
• Authentication uses industry-standard password hashing (bcrypt) with appropriate work factor.
• Session cookies are flagged Secure and HttpOnly; sessions invalidate appropriately on sign-out.
• Dependencies are tracked and security advisories are reviewed regularly.

Customer data is processed in the United States. Where customer data of EEA, UK, or Swiss residents is transferred to the United States, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent Swiss mechanisms apply, as incorporated into our DPA.

Security is a shared responsibility. PracticPro secures the platform; customers are responsible for:

• Protecting user account credentials, including enabling multi-factor authentication where appropriate.
• Granting platform access only to authorized personnel and revoking it promptly when no longer needed.
• Configuring the platform appropriately for their use case (for example, AI feature settings, recording controls, retention preferences).
• Complying with applicable law when processing personal data through the Services, including any necessary disclosures to end clients.