Healthcare-grade security, by default
ClinicFlow ships every technical safeguard a HIPAA auditor will ask for. The control matrix is documented in the open.
PHI encrypted at rest
Narrative PHI fields encrypted with Fernet (AES-128 + HMAC-SHA-256) at the column level. AWS KMS envelope encryption available — KMS only ever sees data keys, never PHI. Versioned ciphertext means SECRET_KEY rotation never loses data.
TLS everywhere
HSTS preload with includeSubDomains. Modern TLS profile only. Strict CSP, X-Frame-Options DENY, Cross-Origin-* policies locked down by default.
Strong authentication
JWT with refresh rotation. NIST 800-63B password policy. Account lockout after 8 failed attempts. Optional TOTP MFA with single-use recovery codes. SSO via OIDC against your IdP.
Audit on reads AND writes
Every PHI read and every mutation writes an AuditLog row with actor, IP, timestamp, object reference, and a tamper-evident chain. Logs survive right-to-erasure with reference rewriting.
Compliance frameworks
Built to satisfy HIPAA Technical Safeguards (45 CFR §164.312) and GDPR Articles 5/15/17/20/25/30/32. SOC 2 Type II and ISO 27001 attestations in progress.
Tenant isolation
Shared-app, shared-DB with strict tenant_id scoping enforced at the middleware AND service layer. No query crosses tenant boundaries — verified by 119 tests.
Practice summary
| MFA available for all accounts | Yes |
| BAA with subprocessors | Yes — every PHI-touching provider |
| Penetration testing | Annual third-party |
| Vulnerability disclosure program | [email protected] |
| Backup retention | 30 days online, 6 years cold |
| RTO target | ≤4 hours |
| RPO target | ≤15 minutes |
| Data center regions | us-east, eu-west, ap-southeast |
| Subprocessor list | Updated quarterly |
| Bug bounty | Coming Q3 2026 |
Found a security issue?
Email [email protected] with details. We acknowledge within 24 hours and patch critical issues within 72 hours. Public disclosure happens 90 days after fix with credit, unless you request anonymity.
Read the deep documentation
Auditors and security teams: jump straight into our compliance map and operator runbooks.