Security
Book a demo Get started

Security Policy

Effective Date: March 23, 2026

Last Updated: March 23, 2026

This Security Policy (the “Policy”) describes the administrative, technical, and organizational safeguards implemented by DirectOD, together with its affiliates and subsidiaries (“DirectOD,” “we,” “our,” or “us”), in connection with its website located at https://directod.com, including all associated subdomains, applications, portals, and related services (collectively, the “Platform”).

This Policy is provided for informational purposes only and does not create contractual obligations or guarantees regarding specific security measures or outcomes. By accessing or using the Platform, you acknowledge and agree to the practices described herein.

1. Security Program Overview

DirectOD maintains a security program designed to protect the confidentiality, integrity, and availability of information processed through the Platform. This program is based on commercially reasonable practices consistent with industry standards applicable to software-as-a-service platforms.

DirectOD’s security approach incorporates a combination of internal safeguards and reliance on established third-party infrastructure and service providers. While DirectOD takes reasonable steps to protect information, no system can be guaranteed to be completely secure, and DirectOD expressly disclaims any representation or warranty of absolute security.

2. Third-Party Infrastructure and Platform Dependencies

The Platform relies in part on third-party software, infrastructure, and service providers to deliver core functionality, including customer relationship management, data storage, communications, and workflow automation services. These providers may include, without limitation, such other cloud-based service providers.

Such third-party providers maintain their own independent security programs, controls, and certifications. DirectOD selects these providers based on industry reputation and operational reliability; however, DirectOD does not control and is not responsible for the security practices, systems, or infrastructure of such third parties.

By using the Platform, you acknowledge and agree that certain data may be processed, stored, or transmitted through third-party systems that are outside of DirectOD’s direct control. DirectOD expressly disclaims any liability arising from the acts, omissions, failures, or security incidents of such third-party providers.

3. Shared Responsibility Model

Security of the Platform operates under a shared responsibility framework. DirectOD is responsible for maintaining the security of the application layer, internal access controls, and systems under its direct control.

Users, including practices and administrators, are solely responsible for maintaining the security of their own devices, login credentials, internal systems, and any data they input, manage, or distribute through the Platform. This includes implementing appropriate password practices, restricting unauthorized access, and ensuring that their internal workflows comply with applicable security standards.

DirectOD shall not be responsible for any security incident resulting from user negligence, compromised credentials, insecure endpoints, or failure to implement appropriate safeguards within the user’s own environment.

4. Administrative Safeguards

DirectOD implements administrative safeguards designed to manage risk and control access to systems and data. These safeguards include internal policies governing data access, confidentiality obligations for personnel, and role-based access controls that limit access to authorized individuals with a legitimate business need.

Access privileges are periodically reviewed and are promptly revoked upon termination of employment or change in role.

5. Technical Safeguards

DirectOD utilizes technical controls designed to protect information against unauthorized access, disclosure, alteration, or destruction. These measures may include encryption of data in transit, authentication and authorization mechanisms, system monitoring, and logging of access and activity.

To the extent data is processed through third-party systems, such systems may apply additional layers of security controls, including encryption, redundancy, and access restrictions, as determined by those providers.

DirectOD does not guarantee that any technical safeguards will prevent all security incidents or vulnerabilities.

6. Data Handling and Access Controls

DirectOD employs logical access controls designed to restrict access to data based on role and necessity. Data is accessed only by authorized personnel for purposes including system operation, support, maintenance, and compliance with legal obligations.

DirectOD does not access or use user data beyond what is reasonably necessary to provide services or fulfill operational requirements.

7. Payment Security

Payment-related functionality within the Platform is facilitated through independent third-party payment processors. DirectOD does not store full payment card numbers, bank account details, or other sensitive financial credentials within its systems.

All payment information is subject to the security practices of the applicable payment processor. DirectOD disclaims any responsibility or liability for the security, performance, or compliance of such third-party payment systems.

8. Monitoring and Incident Response

DirectOD maintains monitoring practices designed to identify potential security events, including unauthorized access attempts and abnormal system behavior. In the event of a suspected incident, DirectOD will take commercially reasonable steps to investigate, mitigate, and remediate the issue.

Where required by applicable law, DirectOD will provide notice of confirmed data breaches in accordance with legal obligations. DirectOD does not warrant or guarantee the detection or prevention of all incidents.

9. Data Retention and Disposal

DirectOD retains data only for as long as necessary to provide services, comply with legal obligations, and support legitimate business operations. When data is no longer required, DirectOD implements commercially reasonable measures to delete or anonymize such data.

Retention timelines may vary depending on the nature of the data and applicable regulatory requirements.

10. Compliance and Regulatory Positioning

DirectOD’s security practices are designed to align with general industry standards; however, DirectOD does not represent or warrant compliance with any specific regulatory framework, including but not limited to HIPAA, unless expressly agreed to in a separate written agreement.

Participating practices are solely responsible for ensuring that their use of the Platform complies with all applicable laws and regulations governing their operations.

11. Limitations and Disclaimer

This Policy describes general security practices and is not intended to serve as a comprehensive or exhaustive description of all safeguards employed by DirectOD or its service providers.

To the fullest extent permitted by law, DirectOD disclaims all liability for any unauthorized access, data breach, loss, or corruption of data, including incidents arising from third-party systems, user actions, or circumstances beyond DirectOD’s reasonable control.

DirectOD reserves the right to modify its security practices at any time without prior notice.

12. Changes to This Policy

DirectOD reserves the right to update or modify this Security Policy at any time in its sole discretion. Any changes will become effective upon posting to the Platform, and the “Last Updated” date will be updated accordingly.

Continued use of the Platform constitutes acceptance of the revised Policy.

13. Contact Information

DirectOD

Email: info@directod.com

Subject Line: ATTN: SECURITY INQUIRY

In-office plans built for independent eye care practices.

Get Started Book a Demo
2026 DirectOD™. All rights reserved. #1010 2321 Sir Barton Way Suite 140, Lexington, KY 40509 US
Privacy Terms Security Cookies Accessibility
DirectOD Vision Membership Plans are NOT insurance. Members pay a monthly or annual fee directly to participating eye care providers in exchange for access to discounted services, benefits, and product savings as outlined in the provider’s custom membership plan. Members are responsible for paying their provider directly for any services or products received beyond the plan’s benefits. Plan features, pricing, and savings may vary by provider and location — please refer to your provider’s specific plan terms for full details. Vision membership plans offered through DirectOD do not qualify as insurance under the Affordable Care Act and do not satisfy minimum essential coverage requirements. DirectOD is not an insurance company, and does not pay or reimburse providers for services rendered. DirectOD exclusively supports eye care and does not operate in any other medical field or acknowledge outside industry technologies attempting to operate in the eye care industry. For questions regarding your plan, please contact your participating provider.
[bot_catcher]