Clinit is certified against HIPAA, PCI DSS, SOC 2 Type II, and GDPR — the four most critical compliance frameworks for healthcare software. Your patients' data is protected at every layer.
Every certification is independently verified — not self-declared. We provide documentation upon request.
All Protected Health Information (PHI) is handled in strict accordance with HIPAA Privacy and Security Rules. We sign Business Associate Agreements (BAAs) with all clients and maintain full audit trails of every PHI access.
Payment card data is processed in full compliance with PCI DSS Level 1 — the highest tier. Raw card numbers are never stored on Clinit servers. All payment processing is handled by tokenised, certified payment gateways.
Our security controls are independently audited annually by a licensed CPA firm under the AICPA Trust Services Criteria. SOC 2 Type II means our controls are proven effective over an extended observation period — not just documented.
Clinit supports full GDPR compliance for clinics serving EU patients. We act as a Data Processor under the regulation, and provide the contractual and technical mechanisms you need to meet your obligations as the Data Controller.
From database to device, each layer of Clinit is independently secured and continuously monitored.
All data stored on AES-256 encrypted volumes. Database, file storage, and backups are encrypted separately with rotating keys.
All connections enforced over TLS 1.3 with HSTS. Weak cipher suites are rejected. Certificate pinning on mobile apps.
Automated encrypted backups every 24 hours with 30-day point-in-time recovery. Backup integrity is tested monthly.
Multi-region PostgreSQL on Supabase with automatic failover. Load-balanced API infrastructure on Vercel edge network.
Annual third-party penetration tests on web, API, and mobile surfaces. Critical findings addressed within 48 hours.
39-module RBAC permissions system. Every action is gated by role. Super-admin access requires MFA and is independently audited.
Tamper-proof, append-only audit log covering every record read, write, and delete. Exportable for compliance reviews.
Continuous dependency scanning, SAST on every commit, and quarterly DAST scans. CVEs triaged within 24 hours of disclosure.
We provide all documentation your legal or compliance team needs. Contact us with your request.
Standard BAA for all US/international clinics handling PHI. Counter-signed by Clinit within 1 business day.
Request document →GDPR-compliant DPA defining our role as Data Processor and your rights as Data Controller.
Request document →Full audit report from our independent CPA firm. Available under NDA to enterprise clients.
Request document →Pre-filled CAIQ/VSA questionnaire for enterprise procurement processes and insurance assessments.
Request document →Complete list of sub-processors (Supabase, Vercel, Resend, Paymob) with their own compliance details.
Request document →Executive summary of our most recent third-party pentest. Full report available to enterprise clients.
Request document →All Clinit plans include full compliance coverage — HIPAA, PCI, SOC 2, and GDPR are not add-ons. Security is built in from day one.