nutriasoftnutriasoft
ESEN
Get started free
ProductPricingSecurityRoadmapSign inGet started free
nutriasoftProductSecurity
Security and privacy

We treat data like clinical data.

No vague promises. Here is exactly what we do, how we do it, and how it can be audited.

Technical controls

Encryption in transit

TLS 1.3 across all traffic. HSTS enforced on public domains to prevent HTTP downgrade.

Rotating sessions

Short-lived access tokens (15 min) and rotating refresh tokens. You can log out from any device from your account.

Workspace segregation

Each practice or clinic runs in a logically isolated space. No practice can read another's data.

Signed file URLs

Clinical photos and documents are accessible only through signed URLs with short TTLs (5 min).

Action audit trail

Immutable logs for creates, changes, and deletes on sensitive data. Exportable by admin users.

Periodic backups

Automatic daily database backups and weekly file backups. Restore drills are run monthly.

Encryption at rest

Databases and file buckets are encrypted at rest with AES-256.

Role-based access control

Granular RBAC: owner, nutritionist, assistant, auditor. Permissions separated by resource.

Data portability

Full data export in open formats (CSV/JSON) at any time.

Compliance

LFPDPPP (Mexico)

Designed in line with Mexico's Federal Law on the Protection of Personal Data Held by Private Parties. Privacy notice published, ARCO procedures available, designated data controller.

NOM-004-SSA3-2012

Our electronic clinical chart follows integrity, availability, and confidentiality principles. Minimum 5-year retention as professional-support software.

DPA clauses

We provide Data Processing Agreements (DPA) for clinics that require them, with clauses equivalent to GDPR.

Infrastructure

Hosted on European/US VPS providers with at-rest encryption, daily backups, and periodic restore drills. We do not use services that require sharing clinical data with third parties for model training.

Incident reporting

If you suspect a security incident or found a vulnerability, write to security@nutriasoft.com. We respond in under 24 business hours. We value responsible disclosure and can coordinate disclosure when needed.

Severity levels

  • Critical (P0): immediate response, fix, and communication in 24–72h.
  • High (P1): fix within 7 days, disclosure within 14 days.
  • Medium/Low (P2–P3): handled in the next release.

Breach notification

If a breach affects personal data, we notify affected users within 72 hours of detection and notify authorities when required under LFPDPPP.

Does your clinic need a DPA?

We sign Data Processing Agreements for Clinic customers. Contact us.

Request DPA View service status