Trust & Security

Healthcare-grade security, engineered from day one.

Patient records are the most sensitive data a clinic holds. Every layer of The Clinic — from the database row up to the copilot prompt — is built on the assumption that a breach is unacceptable.

Download trust packageTalk to security team
  • HIPAA
  • SOC 2 Type II
  • GDPR
  • ISO 27001
Compliance

Every framework your compliance team asks for.

We map our controls to the frameworks clinics actually get audited against, not just the ones that look good on a badge.

  • HIPAA

    Covered-entity-ready. Full BAA on request, every access signed and audited for seven years.

  • SOC 2 Type II

    Independently audited controls across security, availability, and confidentiality. Latest report on request.

  • GDPR

    Lawful bases documented, DSR tooling in-product, DPA signed with every clinic, EU data residency.

  • ISO 27001

    Information Security Management System aligned to Annex A controls. Certification in progress, Q3 2026.

  • HITRUST

    Control alignment mapped to HITRUST CSF v11. r2 assessment scheduled for the end of 2026.

  • PCI DSS

    Card data never touches our infrastructure — tokenized via Stripe and Tap, audited quarterly.

The four pillars

Defense, layered at every level of the stack.

Data encryption

  • AES-256 encryption at rest across every Postgres cluster and object store
  • TLS 1.3 in transit with HSTS preloading and modern cipher suites only
  • Envelope encryption with per-clinic data keys, rotated quarterly
  • Customer-managed keys (BYOK) available on enterprise tier

Access control

  • Role-based permissions across 10 clinical roles, enforced in every API route
  • Mandatory SSO (SAML / OIDC) and enforced MFA for all staff accounts
  • Least-privilege IAM for infrastructure, reviewed monthly
  • Just-in-time production access with full session recording

Tenant isolation

  • Postgres Row-Level Security policies enforced at the database layer
  • Tenant context propagated via AsyncLocalStorage on every request
  • Prisma extension blocks any cross-tenant write at the ORM layer
  • Continuous tenancy self-tests run in CI and on every deploy

Audit & monitoring

  • Every read and write of PHI written to an immutable signed audit log
  • 7-year retention, exportable to your SIEM or compliance team on demand
  • 24/7 anomaly detection on auth, access, and data export patterns
  • Quarterly access reviews and automated offboarding workflows
Architecture

Multi-tenant isolation, verified three ways.

Every request flows through three independent enforcement layers before it can touch a patient record. A bug in any one of them is caught by the other two.

  • Application. JWT claims resolve a tenant ID, stored in an AsyncLocalStorage context for the life of the request.
  • ORM. A Prisma extension injects the tenant filter on every read and blocks any cross-tenant write at compile time.
  • Database. Postgres Row-Level Security enforces the same boundary at the storage layer — a misbehaving app cannot bypass it.
AES-256 at restTLS 1.3 in transitPer-clinic keys
Clinician requestJWT + clinicId
Auth middlewareLayer 1

Resolves tenant, sets AsyncLocalStorage context

Prisma tenant extensionLayer 2

Injects WHERE clinicId, blocks cross-tenant writes

Postgres RLSLayer 3

Row-level policies gate every SELECT and UPDATE

Encrypted clinic dataAES-256, per-tenant keys

Incident response

A 24/7 on-call rotation, a documented runbook, and a published SLA. Every incident ends with a root-cause post-mortem shared with affected clinics.

  • Critical< 1 hourInitial response, 24/7
  • High< 4 hoursInitial response, business day
  • Post-mortem< 5 daysShared with affected clinics

Vulnerability disclosure

We run a coordinated disclosure program with safe-harbor language for good-faith researchers, and a bug bounty for reproducible findings.

  • Published security.txt with escalation path and PGP key
  • Bug bounty paid per severity, credited publicly
  • Safe-harbor clause for good-faith research
  • Acknowledgement within one business day
security@theclinic.com
Data residency

Your data stays where the law says it should.

Choose your region at signup. Enterprise clinics can bring their own KMS keys — we never hold the master.

  • GCC

    Bahrain

    Primary residency for Gulf clinics. Data never leaves the region.

  • EU

    Frankfurt

    GDPR-native residency for European deployments with EU-only processing.

  • US

    Virginia

    HIPAA-aligned region for US clinics, with cross-region disaster recovery.

Bring your own KMS keys

Enterprise clinics can wrap the per-tenant data keys with keys held in their own AWS KMS, Azure Key Vault, or GCP KMS — giving them a hard off-switch at any time.

Trust resources

Everything your compliance team needs, in one place.

جاهز لتجربة The Clinic

شاهدها تُدير عيادتك في ثلاثين دقيقة.

احجز عرضًا مخصصًا. سنستخدم سير عمل عيادتك الحقيقي — لا جولة عامة.

احجز عرضًاتحدث مع المبيعات

بلا بطاقة ائتمان. بلا شرائح عرض. ثلاثون دقيقة.