ClinicFlow
Legal

Security Practices

The technical & organizational measures we run our Services against.

Last updated: 1 May 2026

Encryption

  • At rest. Narrative PHI fields are encrypted at the column level with Fernet (AES-128 + HMAC-SHA-256). Enterprise customers use AWS KMS envelope encryption — KMS only sees data keys, never PHI.
  • In transit. TLS 1.2+ with HSTS preload. Cipher suite restricted to forward-secrecy-only.
  • Backups. Encrypted with the same KMS CMK. Cross-region replication enabled.
  • Key rotation. Versioned ciphertext with prefix-based dispatch. SECRET_KEY rotation supported via legacy-key fallback.

Access control

  • RBAC + per-user PermissionAssignment overrides; deny rules win.
  • MFA available for all accounts; required for platform admins.
  • Account lockout after 8 failed sign-ins (configurable).
  • Inactivity timeout enforced at the refresh path.
  • Tenant isolation enforced at the middleware AND service layer; verified by 119 automated tests.

Audit & monitoring

  • Every mutation logged via structured audit records.
  • PHI read access logged with 60-second coalesce.
  • Real-time error reporting via Sentry; metrics via Datadog / OpenTelemetry.
  • Alerting on auth anomalies, lockouts, and AI quota exhaustion.

Application security

  • Strict CSP, X-Frame-Options DENY, Cross-Origin-* policies locked down by default.
  • Rate limiting on auth endpoints via SlowAPI.
  • Input validation through Pydantic v2 at every boundary.
  • SQL injection prevention via SQLAlchemy 2 parameterized queries.
  • CSRF — JWT in Authorization header (not cookies), making CSRF inapplicable.

Software supply chain

  • Pinned dependencies with major-version ranges in requirements.txt + lockfile.
  • Daily Dependabot scans + automated security patches.
  • SCA via GitHub Advanced Security.
  • Container images built from minimal base; trivy scan on every release.

Operational security

  • Production access via SSO + MFA; audit-logged.
  • No shared credentials; everything personal.
  • Bastion-only DB access; direct DB connections from app instances only via Postgres SSL.
  • Quarterly access reviews; offboarding within 24 hours of role change.

Resilience

  • Multi-AZ Postgres with automated failover.
  • RPO ≤ 15 minutes; RTO ≤ 4 hours.
  • Quarterly DR drills with documented sign-off.
  • Dramatiq workers idempotent on retries.

Vendor management

  • BAA on file with every PHI-touching subprocessor.
  • Subprocessor attestation enforced in code via the orchestrator's BAA gate.
  • Annual subprocessor compliance review.

Compliance & certifications

  • HIPAA-ready — control matrix in our HIPAA Notice.
  • GDPR — Art. 5/15/17/20/25/30/32/33 controls all in production.
  • SOC 2 Type II — attestation in progress with our auditor.
  • ISO 27001 — readiness assessment complete; certification in progress.
  • PCI DSS SAQ A — payments scope minimized via Stripe.

Vulnerability disclosure

Email [email protected]. We acknowledge within 24 hours and patch critical issues within 72 hours. Public disclosure happens 90 days after fix with researcher credit, unless you request anonymity.

Penetration testing

Annual third-party pentest. Summary reports available under NDA on request to [email protected].