Trust & Security
DoCPR.com is built on enterprise-grade infrastructure with multiple layers of security. Here is everything we do to keep your data safe.
All Systems Operational — View Status
Infrastructure & Hosting
We stand on the shoulders of certified giants.
Vercel — Hosting
SOC 2 Type II • ISO 27001
All web traffic and serverless functions run on Vercel's globally distributed edge network.
Supabase — Database
SOC 2 Type II
PostgreSQL database with row-level security. All data stored in US-East (AWS us-east-1).
Stripe — Payments
PCI DSS Level 1 Certified
Card data never touches DoCPR.com servers. Stripe handles all payment card processing directly.
Mailgun — Email Delivery
ISO 27001 • SOC 2
Transactional email delivered via Mailgun's secure relay infrastructure.
Compliance certifications are maintained by our infrastructure providers and are available upon request. Third-party audit reports for Supabase, Vercel, and Stripe are published on their respective trust pages.
Encryption
Your data is encrypted everywhere it travels and everywhere it lives.
- In transit: All connections use TLS 1.2+ (TLS 1.3 preferred). HTTP traffic is automatically redirected to HTTPS. We target an SSL Labs A rating.
- At rest:Database volumes are encrypted at rest using AES-256 by Supabase's managed infrastructure on AWS.
- Payment data:DoCPR.com never stores credit card numbers. Stripe tokenizes all card data. Our PCI DSS scope is limited to SAQ A (redirect/iframe model).
- Passwords: User passwords are hashed with bcrypt by Supabase Auth and never stored in plaintext.
- Secrets: API keys and credentials are stored as environment variables, never committed to source code.
Access Control & Privacy
We limit who can see what — at the database level, not just the application level.
- Row-Level Security (RLS): Supabase enforces tenant isolation at the database level. A student or admin from one training organization cannot access data belonging to another, even with a valid session token.
- Role-based permissions: System admins, tenant admins, supervisors, instructors, and students each have distinct access scopes. Permissions are enforced both in application logic and at the database level.
- Audit trail:All admin actions are logged with a timestamp, user ID, and action type. Logs are available to tenant admins at Admin → Reports → Audit Trail.
- We never sell your data. Student records, booking history, and certification data are used solely to operate the platform. We do not sell or share data with third-party advertisers.
- Data location: All data is stored in the United States (AWS us-east-1). We do not transfer personal data outside the US.
Security Practices
Security is built in, not bolted on.
- OWASP Top 10 protections: Input validation, parameterized queries (no raw SQL), HTML-escaped output, CSRF tokens on state-changing actions, and Content-Security-Policy headers.
- Automated security testing: Our test suite (6,800+ automated tests) includes tests for authentication, authorization, and data isolation. Tests run on every code change before deployment.
- Dependency management: Dependencies are monitored for known vulnerabilities. Critical security patches are applied promptly.
- Webhook security: All outbound webhooks are signed with HMAC-SHA256. Inbound webhooks (Stripe, Twilio, Mailgun) are verified by signature before processing.
- Rate limiting: Public endpoints are rate-limited to prevent abuse and brute-force attacks.
Compliance
What applies to DoCPR.com and what does not.
| Framework | Status | Notes |
|---|---|---|
| PCI DSS | SAQ A Eligible | Card data handled entirely by Stripe (Level 1 PCI certified). DoCPR.com qualifies for the simplest SAQ A self-assessment. |
| HIPAA | Not applicable | CPR training records (name, email, certification date) are not Protected Health Information (PHI) under HIPAA. HIPAA governs medical records — training certifications are occupational/safety records. |
| CCPA (California) | Compliant | Covered in our Privacy Policy. Users may request data deletion or a copy of their data. Contact privacy@docpr.com. |
| GDPR | US-focused | Platform is US-based and targets US customers. We apply GDPR principles (data minimization, right of erasure) as best practice. |
| SOC 2 | Planned | DoCPR.com itself does not yet hold a SOC 2 report. Our infrastructure providers (Supabase, Vercel) are SOC 2 Type II certified. We plan to pursue our own SOC 2 Type I report as the business scales. |
| WCAG 2.1 AA | In progress | We design for accessibility and perform automated audits. A formal WCAG 2.1 AA audit is on our roadmap. |
Report a Security Issue
If you discover a security vulnerability, please let us know immediately. We take all reports seriously and respond promptly.
Email: security@docpr.com
Please include a description of the vulnerability, steps to reproduce, and your contact information. We ask that you do not publicly disclose the issue until we have had a chance to address it.
Related Documents
Privacy Policy
How we collect, use, and protect personal data
Terms of Service
Rules and responsibilities for using the platform
System Status
Current operational status of all services
Last reviewed: March 2026 — Questions? security@docpr.com