uli
ProductFeaturesSecurityPricingFAQ
Book a demoDemoStart for freeStart free

Legal document

Security statement

Last updated :

Uli treats security as a prerequisite, not an option. This page summarises the technical and organisational measures in place to protect the data managed through la plateforme Uli.

1. Encryption

  • In transit: all communications between the browser and our servers are encrypted with TLS 1.2 or higher. Unencrypted connections are redirected automatically.
  • At rest: databases and backups are stored on encrypted volumes. Application secrets (tokens, keys) are managed in a dedicated vault and are never committed to version control.

2. Authentication and access management

  • Access to the platform is by email / password pair, then by an authentication token transmitted only over an encrypted channel.
  • Passwords are stored as a salted hash (bcrypt / argon2) and are never accessible in cleartext.
  • Sessions expire after a period of inactivity and may be revoked at any time.
  • Phone number verification is offered to reinforce confidence in the user account.

3. Fine-grained access control (RBAC)

The platform relies on a system of roles and fine-grained permissions:

  • each sensitive action (read, create, modify, delete, role assignment) is the subject of a dedicated permission;
  • pages and features check permissions on the server side, not only on the interface side;
  • the principle of least privilege is applied;
  • permissions may be individually overridden (Business plan) to meet specific needs without duplicating roles.

4. Data isolation between clinics

Each clinic has its own isolated logical space. Data access queries are systematically filtered by the clinic identifier of the authenticated user, which prevents any cross-establishment access.

5. Logging and audit

  • Sign-ins, authentication failures and sensitive actions are logged.
  • Logs are retained for a maximum of twelve (12) months, in a security perimeter separate from the application data.
  • The appointment history remains consultable from the interface for clinical audit purposes.
  • The full audit history is exportable on the Clinic's request.

6. Backups and continuity

  • Automatic encrypted backups, on a daily basis.
  • Backup retention compliant with the retention policy (thirty days maximum).
  • Periodic restore tests to ensure the integrity of the backups.

7. Hosting and subprocessors

Uli uses hosting and delivery providers selected for their compliance with security standards. The up-to-date list appears in the Data Processing Agreement.

8. Secure development

  • Mandatory code review before any production release.
  • Automatic dependency analysis to detect known vulnerabilities.
  • Separate environments (development, staging, production) and segregated secrets.
  • Protection against common OWASP Top attacks (XSS, CSRF, injection, IDOR).

9. Incident management

In the event of a security incident or confirmed data breach, Uli undertakes to:

  • contain the incident and preserve evidence;
  • notify the affected Clinic without undue delay, and no later than within 72 hours;
  • cooperate with the Clinic for any report to the supervisory authority;
  • conduct a post-incident analysis and update preventive measures.

10. Responsible disclosure programme

Security researchers identifying a vulnerability are invited to report it to us confidentially at security@ouli.tech. We commit to acknowledging receipt within 72 hours and not to pursue researchers acting in good faith.

11. Contact

Uli security team: security@ouli.tech.

uli

The OS for Algerian medical practices. Appointments, records, billing, and scheduling — one platform, operated in Algeria.

In production · 3 clinics

Product

Resources

Contact

© Uli. All rights reserved.·A product by OulitechThe OS for Algerian medical practices.