Bookwell handles protected health information (PHI) for independent practices. We treat security as a product requirement, not a checkbox. This page describes the controls in place today and the standards we hold ourselves to. If you need specifics for a vendor assessment, email security@trybookwell.com and we will respond with documentation.
All data in transit is encrypted with TLS 1.2 or higher. Data at rest — patient records, attachments, message history — is encrypted using AES-256. Database backups are encrypted with the same standard and stored in an isolated environment.
Access to production systems is restricted to a small number of engineers, gated by multi-factor authentication and scoped by role. Every administrative action against patient data is written to an append-only audit log. Within your practice account, staff permissions are role-based: front-desk, clinician, and owner roles see only what their role requires.
Bookwell runs on hardened cloud infrastructure with network isolation between application, database, and backup tiers. Production data is logically separated per practice. We do not run patient data through third-party analytics or advertising tooling.
Bookwell is built to be HIPAA-aligned: we sign Business Associate Agreements (BAAs) with practices on paid plans, minimise the PHI we collect, and design data flows around the minimum-necessary principle. We support GDPR data-subject requests for practices operating in the EU/UK.
Where the marketing site references SOC 2, this reflects the control framework we operate against. A formal third-party attestation report is available to qualified prospects under NDA at the stage it applies to your procurement — ask security@trybookwell.com for current status before relying on it contractually.
If you believe you have found a security issue, email security@trybookwell.com with steps to reproduce. We acknowledge reports within 2 business days and do not pursue good-faith researchers who follow responsible disclosure.