Skip to content
CliniLoom
Thread live
Security

Certified, monitored, and reviewable.

SOC 2 Type II and ISO 27001 certified. HIPAA-designed with BAA v1.2. Encryption in transit and at rest, role-based access, SSO, MFA, and 24/7 monitoring — every action on the record.

Certified March 2025Certified June 2025BAA v1.2TLS 1.3 / AES-256

Encryption everywhere

TLS 1.3 in transit and AES-256 at rest for PHI and backups.

SOC 2 Type II · ISO 27001

SOC 2 Type II certified March 2025 and ISO 27001 certified June 2025 at CliniLoom's primary data center. Reports available under NDA.

HIPAA-designed · BAA v1.2

Designed to be HIPAA compliant. BAA v1.2 has been available since January 2024 and is signed before any production PHI is processed.

Role-based access control

Four defined roles — Administrator, Manager, Provider, Staff — with least-privilege defaults and per-module permissions.

SSO and MFA

SSO via SAML 2.0 and OIDC. MFA supported via SMS, Email, Authenticator app.

End-to-end audit trail

Every AI draft, human action, and system event is logged with actor, role, timestamp, and source. Audit logs retained for 7 years; system logs for 1 year.

Retention and deletion

Patient data retained for the customer contract duration plus 90 days. Deleted within 30 days after contract termination; a final backup is retained 90 days.

24/7 monitoring

Continuous monitoring with a 4-hour notification window for critical incidents. Customer security contact notified per BAA obligations.

Support response

Support hours: 8 AM–8 PM EST, Monday–Friday. Initial response within 4 business hours.

What CliniLoom does not do

No auto-sent patient communication. No auto-submitted prior auths. No auto-signed notes. No diagnostic determinations.

Retention

How long we keep data

Patient data

Customer contract duration plus 90 days

Audit logs

Retained 7 years.

System logs

Retained 1 year.

Deletion policy

Deleted within 30 days after contract termination; final backup retained 90 days.

Subprocessors

Vendors in the CliniLoom stack

  • Amazon Web Services (AWS) — Application hosting, database storage (US regions)
  • SendGrid — Transactional email delivery
  • Twilio — SMS and voice delivery