HomeDocumentationSecurity & Access Control
Advanced
🔒

Security & Access Control

Two-factor authentication, audit logs, device management, and data export.

Last updated May 2026

Two-factor authentication (2FA)

To enable 2FA on your account:


  1. Go to Settings → Security → Two-Factor Authentication
  2. Click Enable 2FA
  3. Scan the QR code with an authenticator app (Google Authenticator, Authy, or 1Password)
  4. Enter the 6-digit code to verify
  5. Save your backup codes in a secure place

Once enabled, all logins from unrecognised devices will require the 6-digit code in addition to your password.


Forcing 2FA for all staff: Clinic Owners can require all staff to enable 2FA from Settings → Security → Enforce 2FA for all users.

Remember device (30 days)

During login, checking Remember this device for 30 days means you won't be asked for 2FA again from that device for 30 days.


Device tokens are stored as SHA-256 hashes server-side — the plaintext token is never stored. Tokens expire automatically after 30 days.


You can review and revoke trusted devices at any time from Settings → Security → Trusted Devices. This is recommended after changing staff or losing a device.

Audit log

Every action in Clinit is recorded in the tamper-proof audit log:


  • Patient record created, viewed, edited, or deleted
  • Appointment booked, modified, or cancelled
  • Invoice created, paid, or voided
  • Staff account created, deactivated, or role changed
  • Settings modified

To access the audit log: Settings → Audit Log. You can filter by user, action type, and date range. The log is append-only and cannot be modified or deleted by any user, including the Clinic Owner. Export as CSV for compliance reviews.

Exporting your data

You own your data and can export it at any time:


Patient records: Go to Patients → Export — downloads a CSV of all patient demographic and contact data


Clinical records: Go to Reports → Full Data Export — downloads a ZIP containing all clinical notes, prescriptions, and lab results as structured JSON


Financial data: Go to Billing → Export — downloads all invoices and payments as CSV or Excel


Exports include all historical data. For GDPR subject access requests, use the individual patient export from their profile page.

← Previous
💬 WhatsApp & SMS Automation
Was this helpful?
Contact support if something isn't clear.