Trust & Security

Healthcare-grade security, engineered from day one.

Patient records are the most sensitive data a clinic holds. Every layer of The Clinic — from the database row up to the copilot prompt — is built on the assumption that a breach is unacceptable.

Download trust packageTalk to security team
  • HIPAA
  • SOC 2 Type II
  • GDPR
  • ISO 27001
Compliance

Every framework your compliance team asks for.

We map our controls to the frameworks clinics actually get audited against, not just the ones that look good on a badge.

  • HIPAA

    Covered-entity-ready. Full BAA on request, every access signed and audited for seven years.

  • SOC 2 Type II

    Independently audited controls across security, availability, and confidentiality. Latest report on request.

  • GDPR

    Lawful bases documented, DSR tooling in-product, DPA signed with every clinic, EU data residency.

  • ISO 27001

    Information Security Management System aligned to Annex A controls. Certification in progress, Q3 2026.

  • HITRUST

    Control alignment mapped to HITRUST CSF v11. r2 assessment scheduled for the end of 2026.

  • PCI DSS

    Card data never touches our infrastructure — tokenized via Stripe and Tap, audited quarterly.

The four pillars

Defense, layered at every level of the stack.

Data encryption

  • AES-256 encryption at rest across every Postgres cluster and object store
  • TLS 1.3 in transit with HSTS preloading and modern cipher suites only
  • Envelope encryption with per-clinic data keys, rotated quarterly
  • Customer-managed keys (BYOK) available on enterprise tier

Access control

  • Role-based permissions across 10 clinical roles, enforced in every API route
  • Mandatory SSO (SAML / OIDC) and enforced MFA for all staff accounts
  • Least-privilege IAM for infrastructure, reviewed monthly
  • Just-in-time production access with full session recording

Tenant isolation

  • Postgres Row-Level Security policies enforced at the database layer
  • Tenant context propagated via AsyncLocalStorage on every request
  • Prisma extension blocks any cross-tenant write at the ORM layer
  • Continuous tenancy self-tests run in CI and on every deploy

Audit & monitoring

  • Every read and write of PHI written to an immutable signed audit log
  • 7-year retention, exportable to your SIEM or compliance team on demand
  • 24/7 anomaly detection on auth, access, and data export patterns
  • Quarterly access reviews and automated offboarding workflows
Architecture

Multi-tenant isolation, verified three ways.

Every request flows through three independent enforcement layers before it can touch a patient record. A bug in any one of them is caught by the other two.

  • Application. JWT claims resolve a tenant ID, stored in an AsyncLocalStorage context for the life of the request.
  • ORM. A Prisma extension injects the tenant filter on every read and blocks any cross-tenant write at compile time.
  • Database. Postgres Row-Level Security enforces the same boundary at the storage layer — a misbehaving app cannot bypass it.
AES-256 at restTLS 1.3 in transitPer-clinic keys
Clinician requestJWT + clinicId
Auth middlewareLayer 1

Resolves tenant, sets AsyncLocalStorage context

Prisma tenant extensionLayer 2

Injects WHERE clinicId, blocks cross-tenant writes

Postgres RLSLayer 3

Row-level policies gate every SELECT and UPDATE

Encrypted clinic dataAES-256, per-tenant keys

Incident response

A 24/7 on-call rotation, a documented runbook, and a published SLA. Every incident ends with a root-cause post-mortem shared with affected clinics.

  • Critical< 1 hourInitial response, 24/7
  • High< 4 hoursInitial response, business day
  • Post-mortem< 5 daysShared with affected clinics

Vulnerability disclosure

We run a coordinated disclosure program with safe-harbor language for good-faith researchers, and a bug bounty for reproducible findings.

  • Published security.txt with escalation path and PGP key
  • Bug bounty paid per severity, credited publicly
  • Safe-harbor clause for good-faith research
  • Acknowledgement within one business day
security@theclinic.com
Data residency

Your data stays where the law says it should.

Choose your region at signup. Enterprise clinics can bring their own KMS keys — we never hold the master.

  • GCC

    Bahrain

    Primary residency for Gulf clinics. Data never leaves the region.

  • EU

    Frankfurt

    GDPR-native residency for European deployments with EU-only processing.

  • US

    Virginia

    HIPAA-aligned region for US clinics, with cross-region disaster recovery.

Bring your own KMS keys

Enterprise clinics can wrap the per-tenant data keys with keys held in their own AWS KMS, Azure Key Vault, or GCP KMS — giving them a hard off-switch at any time.

Trust resources

Everything your compliance team needs, in one place.

Ready to try The Clinic

See it run your clinic in 30 minutes.

Book a personalized demo. We'll use your clinic's real workflows — not a generic walkthrough.

Book a demoTalk to sales

No credit card. No slides. 30 minutes.