Security
Security posture, in plain language.
A prescription is a sensitive record, so Docuity Rx is built to under-claim rather than over-promise. Here is how it protects data, and an honest list of what it does not.
Sign-in and sessions
- Sign-in happens only in Docuity ID. Docuity Rx never sees your password. Passkeys are the preferred method, with password and magic-link fallbacks.
- Sessions are Ed25519-signed tokens paired with a server-side revocation check, so signing out takes effect immediately and the app fails closed if that check cannot be reached.
- Every state-changing request is validated against the app's own exact origin, and sensitive prescription actions carry an additional per-form token. Credential and public endpoints are rate-limited.
Prescription integrity
Issuing a prescription is gated. A draft can only be locked when it is still a draft, the person issuing holds a prescriber role with a registration number on file, at least one medicine is present, and none of the medicines is a controlled substance.
- The controlled-substance block is a separate, offline deny-list applied to the raw drug name at issue time. It fails closed, so a scheduled substance cannot be issued even if the drug service is unavailable.
- Interaction and allergy data is fetched server-side only. The browser never calls the drug service directly.
- An issued prescription is immutable; corrections are made by cancelling and reissuing.
Audit trails
Prescription lifecycle events are written to an append-only, hash-chained audit log whose database permissions do not allow updates or deletes. In production, a failure to write the audit record fails the request rather than proceeding silently.
Honest limit: hash-chaining makes tampering detectable by verification, not impossible. We say externally verifiable, never tamper-proof.
The public verify page
Anyone holding an issued script can verify it, but the public page is data-minimised by construction. It returns four fields only: status, issuing practice, date, and item count. Patient identity and medication detail never leave the server, and the page is rate-limited against enumeration.
Access and isolation
- Practices and pharmacies are separate tenants. Every request runs through a membership check for the specific organisation, and a denied access is itself audited.
- Pharmacies are invite-only. No prescription reaches a pharmacy unless a practice has invited it, and roles determine who can compose, issue, dispense, or manage members.
- All traffic is served over TLS. Plain HTTP is not offered.
Self-hosting
Docuity Rx ships as a container image and runs against one PostgreSQL and one Redis instance. If you self-host, everything above applies to your deployment and no data flows to us.
What we do not claim
- No certifications. Docuity is not “HIPAA certified” (no such certification exists), and we hold no SOC 2 or ISO 27001 attestation today.
- We do not currently sign Business Associate Agreements.
- No end-to-end encryption claims. Server-side protections are what they are.
- The interaction and allergy checks are informational. They support a prescriber's judgement and do not replace it. Docuity provides software, not medical advice.
Reporting a vulnerability
If you believe you have found a security issue, contact the Docuity operator for the instance you use. Please include steps to reproduce, and allow reasonable time to remediate before public disclosure.
Read the full feature tour, or create an account and issue your first prescription.