[04:22:19 UTC] > Verifying AES-256-GCM Database Encryption at Rest... [SUCCESS]
[04:22:19 UTC] > Checking TLS 1.3 Transport Security Handshakes... [SUCCESS]
[04:22:20 UTC] > Validating Row-Level Tenant Data Isolation Boundaries... [SUCCESS]
System Status: SECURE. Compliance validation complete.
At Clinapse, the privacy, confidentiality, and security of Protected Health Information (PHI) is our absolute priority. We design, build, and audit our platform to meet and exceed the most rigorous security and data privacy standards in modern healthcare.
HIPAA Compliant
We execute standard Business Associate Agreements (BAAs) with all of our Clients and strictly adhere to federal HIPAA security and privacy rules.
End-to-End Encryption
Sensitive data is encrypted at rest using AES-256-GCM with dynamic key rotation, and encrypted in transit using strict TLS 1.2 or TLS 1.3.
SOC 2 Type II
Our operational procedures and technical controls are independently audited to ensure compliance with the AICPA Trust Services Criteria.
Our Security Controls
To secure patient records, maintain high availability, and protect independent medical practices from cybersecurity threats, Clinapse incorporates best-of-breed infrastructure defenses.
Data Protection & Tenant Isolation
Hybrid Multi-Tenancy: Complete schema-level isolation (tenant_{client_id}) ensures a rigorous database boundary for all clinical and Protected Health Information (PHI).
Column-Level Cryptography: Highly sensitive fields (such as SSNs, dates of birth, clinical notes, and third-party API credentials) are encrypted at rest using industry-standard AES-256-GCM.
Data Minimization: We only collect, store, and process patient information that is strictly necessary to run your clinic optimization workflows.
Soft Deletes: Accidental deletions are protected using isolated soft-delete architecture, ensuring full record auditability and recoverability.
Access Controls & Session Defense
Role-Based Access Control (RBAC): Granular permissions restrict module access (scheduling, billing, EHR integrations) strictly to authorized roles.
Multi-Factor Authentication (MFA): Mandatory MFA enforced via TOTP (Time-based One-Time Password, RFC 6238) for administrators and users accessing clinical data.
Session Expirations: Automated idle session terminations occur after 30 minutes of inactivity, with an absolute session expiration limit of 8 hours.
Complex Password Policies: Enforcement of 12+ character lengths, Argon2id hashing algorithms, and historical password tracking (last 24 passwords) to block credential re-use.
Security Audits & Immutable Logging
Immutable Audit Trails: Security events, authentication logs, and patient record access tracking are saved to write-once (WORM) storage schemas with a 7-year retention mandate.
Continuous Rate Limiting: Hardened API gateway routing utilizing aggressive rate limit controls prevents brute force attacks and denial-of-service attempts.
Vulnerability Management: Quarterly automated vulnerability scanning combined with periodic external penetration tests ensures proactive remediation of OWASP Top 10 vectors.