Security, Privacy and Compliance

SECURITY & PRIVACY AT HOTDOC

Security

We recognise that your data is very sensitive. We combine robust security controls with regular independent audits to ensure your data remains secure.

Privacy

HotDoc has comprehensive policies and procedures that detail how we handle personal information.

The term personal information covers a wide range of data handled by HotDoc, including both sensitive and health information as defined under the Privacy Act 1988. We always err on the side of caution – treating all data as personal information and managing it in strict accordance with the Australian Privacy Principles (APPs). All personal information entrusted to HotDoc is securely stored and processed within Australia and never transferred overseas.

To protect your privacy, all data transferred between user devices and HotDoc’s servers is secured using 256-bit encryption over TLS, supported by industry-leading certificate management. In addition, all data stored on our systems is encrypted at rest using AES-256, ensuring the confidentiality and integrity of your information at every stage.

HotDoc staff can only access personal information when it’s needed to help with customer support. Every access is tracked and reviewed, and permissions are limited to what each person needs to do their job. We use strong security controls and authentication checks to make sure only authorised people can access your information.

Certifications and Compliance

HotDoc is committed to maintaining best practices for ensuring security, availability and confidentiality.

HotDoc proudly maintains an annual SOC 2 Type II accreditation, independently confirming that our platform meets the highest standards for security, availability, and confidentiality. Even though we’re not required to hold this certification, we do it to show our commitment to transparency and give our customers complete confidence that their data is protected by world-class security practices.

Infrastructure Security

HotDoc’s services are fully hosted in the cloud within Australia, deployed across multiple availability zones to ensure resilience and reliability. Our infrastructure is built for high availability, with automatic failover capabilities to minimise disruption in the event of hardware or software issues. Using modern infrastructure-as-code practices and advanced security tooling, we continuously monitor and optimise our systems to keep them running reliably and securely.

Application Security

HotDoc has embedded application security into our culture from the ground up. Our dedicated security team works closely with developers to mentor, review, and guide best practices throughout the product lifecycle. Every change to our codebase goes through peer review and automated testing to ensure quality and security before release. We use automated patching and vulnerability management tools to stay ahead of potential threats, and a layered defence approach to keep production and development environments strictly separated – ensuring customer data is always protected.

Vulnerability Disclosure

HotDoc is committed to resolving security vulnerabilities quickly and responsibly, in line with the timeframes set out in our security policies. We follow a coordinated vulnerability disclosure process and ask that anyone reporting potential issues works with us in the same spirit – helping us protect our customers and maintain a secure platform for everyone.

If you are a customer, please submit a ticket to our support team.

If you are a security researcher, please email our security team.

Trust Centre

HotDoc’s Trust Centre is your central hub for transparency into how we protect clinic and patient data. It brings together key information about our security controls, subprocessors, and compliance certifications. By making our policies and safeguards publicly available, we aim to build lasting trust with every clinic, practitioner, and patient who relies on HotDoc.

FAQs

Why is data security so important to HotDoc?

At HotDoc, we promise to uphold the same ethical standards of confidentiality that our customers provide to their patients. From the very beginning, privacy and security have been core principles in how we design, build, and operate our products – not features added after the fact.

Our security team forms the first line of defence in protecting clinic and patient data. To ensure our internal controls meet global best practices, HotDoc maintains an annual SOC 2 Type II accreditation – an independent, internationally recognised framework that validates how we safeguard data and maintain strong operational resilience.

We are equally committed to protecting the privacy of every patient and practice we support. HotDoc will never sell, share, or use patient data for commercial purposes. We only use the data entrusted to us to deliver the services that our customers choose to engage us for.

Who looks after HotDoc’s security, and what do they do?

HotDoc’s Security team is dedicated to protecting the data you trust us with and ensuring our platform remains safe and dependable.

The team partners closely with our engineers and staff across the company to strengthen every layer of our systems – from infrastructure and applications to internal processes. They proactively identify and remediate vulnerabilities, oversee the implementation of our SOC 2 controls, and manage ongoing security checks across our suppliers, systems, and people. HotDoc’s platform maintains 99.5% uptime, with continuous improvements focused on resilience, performance, and the security of the services we deliver.

Has HotDoc had any cyber-attacks?

Like any business operating online, HotDoc regularly faces attempted malicious activity. Our systems are protected by multiple layers of security controls designed to prevent unauthorised access and ensure these attempts never impact the integrity of our platform or our customers’ data.

What does HotDoc do to prevent cyber-attacks?

No organisation can completely eliminate the risk of cyberattacks, but at HotDoc we take comprehensive measures to ensure those attacks are not successful. Our goal is to deny malicious actors access to data, systems, and infrastructure through layered security controls and proactive defence.

We protect our environment by preventing malware installation on staff devices, enforcing strict access controls to limit employee access to customer data and production systems, and continuously hardening our infrastructure to remain resilient and free from exploitable vulnerabilities.

Our systems are also continuously monitored for suspicious activity, allowing us to detect, respond to, and contain potential threats before they can impact our customers or our platform.

Does HotDoc have access to patient information?

HotDoc collects Patient information from patients directly when they create accounts with us and book appointments. Practices can also give us appointment information so we can support appointments and provide our services to the practice or patients. All the data that HotDoc accesses can be found in our Privacy Policy. The data is securely saved in our platform, hosted in Australia on Amazon Web Services (AWS) and is encrypted.

What does HotDoc do with stored payment details?

HotDoc never has access to your card details: your card information will be sent directly to a secure payment provider. HotDoc does not collect or store your card details and only has access to an anonymised token that allows you to use your card for future payments if you choose to save your card. For more information click here.

How does HotDoc transfer data securely?

We encrypt the data using industry-standard HTTPS/TLS encryption to prevent any malicious actors from intercepting the data while we transfer it to you, and we enable practices to authenticate using MFA to ensure we’re transferring the data to an authorised user in our staff or at your practice.

Does HotDoc have to comply with certain medical privacy regulations?

HotDoc complies with the Australian Privacy Act and the Australian Privacy Principles (APPs). We do not store medical records on our platform – if any medical information is collected as part of a booking or transfer process, it is securely transmitted to your Practice Management Software (PMS) and then deleted. Because HotDoc does not retain medical records, those retention obligations remain with the practice.

What would HotDoc recommend practices to do and don’t do?

Practices should follow the RACGP Guidelines for data security to maintain a strong security posture when using HotDoc.

When using our platform, we recommend that practices:

Use unique accounts: Ensure each staff member has their own individual HotDoc account and that accounts are never shared.

Use multi-factor authentication (MFA): Enable MFA via email or an authentication app for all practice users.

Keep systems up to date: Regularly install updates for your operating system, practice management software, browsers, and any HotDoc components – including the HotDoc Connector and HotDoc Sidebar.

Contact Security

HotDoc has a dedicated security team responsible for protecting every layer of our platform. If you have any questions or concerns, please contact our team.