DoulaOS Back to home

Security Posture

Last updated: March 16, 2026
As a platform built for pregnancy coaches, we treat data security with the paranoia it demands. Below is a complete overview of the hardened architecture backing DoulaOS.

1. Encryption Standards

In Transit: All data moving between your browser and DoulaOS is fully encrypted using modern Transport Layer Security (TLS 1.3 / HTTPS). This prevents "man in the middle" snooping over public Wi-Fi.

At Rest: All database clusters, uploaded documents, client birth plans, and logs stored actively or in backups are encrypted using AES-256 standard encryption on our cloud providers (AWS/Supabase architectures).

2. Bulletproof Data Isolation

DoulaOS utilizes strong multi-tenancy rules enforced at the deepest database level: Postgres Row Level Security (RLS).

  • The "Tenant Wall": Every client, intake form, and private note is stamped with an immutable ID belonging to your specific practice.
  • Database Enforcement: Rather than relying solely on the application code to hide data, the Postgres database physically rejects any query that tries to view data outside your practice ID.
  • Even if a software bug occurs, the database engine guarantees that a Doula in Practice A can never read the client files of Practice B.

3. Passwordless Authentication

Passwords are the #1 attack vector for software breaches. Where possible, DoulaOS defaults to "Magic Links". By clicking a high-entropy, short-lived security token sent directly to your verified email inbox, you authenticate without ever giving hackers a password to guess, steal, or brute-force.

For clients (Mamas) generating accounts on behalf of their doula, strict session timers and middleware redirects guarantee secure portal routing without overlap between Practitioner interfaces and the Client Den.

4. Action Logging & DDoS Protection

Audit Trails: Sensitive operations inside DoulaOS (e.g., inviting a new doula partner to your multi-practitioner clinic, or processing a Stripe payment) trigger immutable audit log entries recording the event timestamp, the actor ID, and the metadata context.

Edge Network Protection: DoulaOS is deployed atop Vercel's global edge network. Before malicious traffic ever reaches our servers, it is scrubbed, rate-limited, and intercepted by enterprise-grade DDoS mitigation protocols.

5. Vulnerability Disclosures

If you are a security researcher and believe you have discovered a vulnerability within the DoulaOS application boundaries or API, we ask that you immediately disclose it to our engineering team rather than publishing it publicly.

Contact: security@doula-os.com