Book a Demo

Trust

Security at Chatbookr

How we protect the conversations between your clinic and your patients — by design, by default, and every day after.

Where your data lives

Production data is hosted in the European Union on infrastructure provided by tier-one cloud providers. Backups stay in the EU. We don't move customer data outside the EU except where a subprocessor requires it for the service to function — in which case we rely on Standard Contractual Clauses or another valid GDPR transfer mechanism.

Encryption

  • In transit: all connections use TLS 1.2 or higher.
  • At rest: data at rest is encrypted with AES-256.
  • Backups: encrypted at rest with separate key material.
  • Secrets: credentials and API keys live in a managed secrets store, never in source code.

Access control

  • Role-based access control inside every clinic workspace. Each user sees only what their role requires.
  • Two-factor authentication is available for every Chatbookr account.
  • Internal access to production systems is restricted to a small group of engineers, requires hardware-key MFA, and is logged.
  • We follow the principle of least privilege — most engineers never need access to customer data, and don't have it.

WhatsApp and Google integrations

We use the official WhatsApp Business API through Meta's cloud, not unofficial scraping libraries. Google Calendar is accessed via standard OAuth 2.0 with the minimum scopes needed to read availability and create or update bookings.

You can disconnect either integration at any time. Disconnection revokes our tokens immediately.

Patient data

Chatbookr is a data processor for patient conversations — the clinic is the data controller. We don't store medical records. Conversation history is retained according to the clinic's own retention policy and deleted on instruction.

Subprocessors

We use a small list of subprocessors to run the service. Each one is contractually bound to GDPR-aligned standards. The current list is available on request to existing customers and under NDA to prospects.

Vulnerability management

  • Dependencies are scanned automatically on every commit.
  • Critical vulnerabilities are patched on a defined timeline; we'll publish that timeline as part of our SLA.
  • External penetration tests are run on a regular cadence by independent third parties.

Monitoring and audit logging

  • Production access and admin actions are logged.
  • Logs are retained for a defined period and are tamper-resistant.
  • Anomalous activity triggers alerts to our on-call engineers.

Incident response

If a security incident affects your data, we will notify you without undue delay and in any case within the GDPR-required 72-hour window for reportable breaches. Notifications include what happened, what data was affected, what we've done about it, and what you should do next.

Backups and disaster recovery

  • Customer data is backed up daily.
  • Backups are tested on a defined cadence.
  • We have a documented disaster recovery plan with target RPO and RTO.

Compliance

Chatbookr operates under EU GDPR. We are working towards a recognised security certification (e.g. ISO/IEC 27001 or SOC 2). Once it's in place, we'll update this page. In the meantime, we're happy to walk customers and prospects through our practices on a security review call.

Responsible disclosure

If you believe you've found a security issue in Chatbookr, please email security@chatbookr.com. We'll acknowledge your report within 2 business days and work with you on a fix. We won't pursue legal action against researchers who follow responsible disclosure.

Questions?

Talk to us. Email security@chatbookr.com for security reviews, due diligence questionnaires, or a copy of our DPA. For everything else, see contact.