DoulaOS Back to home

Security Posture

Last updated: March 16, 2026
As a platform built for doulas and birth workers, DoulaOS uses authentication, tenant-aware data access, encryption, and operational safeguards to protect client workflows.

1. Encryption Standards

In Transit: All data moving between your browser and DoulaOS is fully encrypted using modern Transport Layer Security (TLS 1.3 / HTTPS). This prevents "man in the middle" snooping over public Wi-Fi.

At Rest: All database clusters, uploaded documents, client birth plans, and logs stored actively or in backups are encrypted using AES-256 standard encryption on our cloud providers (AWS/Supabase architectures).

2. Tenant-Aware Data Isolation

DoulaOS utilizes strong multi-tenancy rules enforced at the deepest database level: Postgres Row Level Security (RLS).

  • The "Tenant Wall": Every client, intake form, and private note is stamped with an immutable ID belonging to your specific practice.
  • Database Enforcement: Rather than relying solely on the application code to hide data, the Postgres database physically rejects any query that tries to view data outside your practice ID.
  • Database-level access rules provide an additional layer of protection so tenant data is isolated by practice.

3. Passwordless Authentication

Passwords are the #1 attack vector for software breaches. Where possible, DoulaOS defaults to "Magic Links". By clicking a high-entropy, short-lived security token sent directly to your verified email inbox, you authenticate without ever giving hackers a password to guess, steal, or brute-force.

For clients (Mamas) generating accounts on behalf of their doula, session handling and middleware redirects help keep practitioner and client portal routing separate.

4. Action Logging & DDoS Protection

Audit Trails: Sensitive operations inside DoulaOS (e.g., inviting a new doula partner to your multi-practitioner clinic, or processing a Stripe payment) trigger immutable audit log entries recording the event timestamp, the actor ID, and the metadata context.

Edge Network Protection: DoulaOS is deployed atop Vercel's global edge network. Before malicious traffic ever reaches our servers, it is scrubbed, rate-limited, and intercepted by enterprise-grade DDoS mitigation protocols.

5. HIPAA and BAA Status

DoulaOS is designed with privacy-conscious workflows, secure authentication, and tenant-aware data controls. DoulaOS is not currently represented as a HIPAA-compliant covered entity.

Business Associate Agreements (BAAs) are not currently offered. Doulas and organizations with HIPAA obligations should evaluate DoulaOS with their own compliance advisors before storing regulated health information.

6. Vulnerability Disclosures

If you are a security researcher and believe you have discovered a vulnerability within the DoulaOS application boundaries or API, we ask that you immediately disclose it to our engineering team rather than publishing it publicly.

Contact: support@doula-os.com