Compliance, without the theatrics.

We are registered as a Data Fiduciary under India's Digital Personal Data Protection Act. Our DPO is a qualified attorney and is contactable at privacy@docfriends.co. Data residency is ap-south-1 (Mumbai) by default; cross-border transfer requires explicit consent.

For clients in the EU and UK, we operate as a Data Controller under Article 4(7) GDPR and offer Standard Contractual Clauses for international transfers. EU clients can request EU-only residency at intake.

Subject Access Requests are honoured within 30 days, free of charge. Right to erasure ("right to be forgotten") is supported with one exception: audit logs and billing records are retained for the legally-required minimum.

For US clients, DocFriends operates as a Business Associate when handling Protected Health Information (PHI). We execute Business Associate Agreements with US healthcare providers on request. Our infrastructure (AWS ap-south-1 / us-east-1) is HIPAA-eligible and we maintain a SOC 2 Type II report (available under NDA).

Every doctor on our network is registered with their relevant medical council (NMC in India, GMC in the UK, ABMS-certified in the US, MOH in Singapore). We verify board status annually and publish the verification dates on each doctor profile.

DocFriends itself does not practice medicine. We facilitate written specialist reviews; we do not diagnose, prescribe, or replace your treating doctor.

We engage an external InfoSec auditor annually for penetration testing and a separate clinical-quality auditor for opinion-quality review on a random sample of completed cases. Findings are summarised in our quarterly transparency report (request: hello@docfriends.co).

DocFriends carries professional indemnity and cyber-liability cover via Marsh India. Doctors on our network carry their own indemnity (we verify at onboarding) and are additionally covered under our umbrella policy for work performed via the platform.