Skip to content
CliniLoom
Thread live
Trust Center

Trust, in one place.

A live view of how CliniLoom handles clinic data, what controls are in place today, and what we're explicit about not claiming.

SOC 2 Type II · Mar 2025ISO 27001 · Jun 2025HIPAA-designed · BAA availableHuman-in-the-loop
Certifications

Independently audited.

Certified March 2025
SOC 2 Type II

SOC 2 Type II certified March 2025. Scope: security, availability, and confidentiality controls at CliniLoom's primary data center. Full report available under NDA.

Certified June 2025
ISO 27001

ISO 27001 certified June 2025. Scope: information security management system (ISMS) at CliniLoom's primary data center. Full report available under NDA.

Designed for HIPAA compliance
HIPAA

Designed to be HIPAA compliant; BAA available for customers.

Security posture

Controls at a glance

Certified · Mar 2025
SOC 2 Type II

Security, availability, and confidentiality controls at CliniLoom's primary data center. Full report under NDA.

Certified · Jun 2025
ISO 27001

Information security management system at CliniLoom's primary data center. Full certificate under NDA.

BAA available
HIPAA

Designed to be HIPAA compliant. BAA v1.2 signed before production PHI processing.

Implemented
Encryption

TLS 1.3 in transit; AES-256 at rest.

Implemented
Access control

Role-based access (Administrator, Manager, Provider, Staff) with least-privilege defaults.

Implemented
Audit log

Per-entity, exportable as CSV/JSON. Retained 7 years.

US regions
Data residency

Primary data center in US regions. Custom retention on Enterprise.

Compliance controls

How clinic workflows stay reviewable

Human-reviewed workflows

Required reviewer roles per workflow; no silent sends.

Clinical escalation rules

Urgent clinical concerns route to a clinician with audit.

Configurable approval rules

Per-module rules for what needs provider, billing, or front-desk sign-off.

AI safety controls

What every AI output carries

Draft-only outputs

AI prepares — staff decide. Every output enters a reviewable queue.

Source-linked

Each draft cites the messages, documents, or fields it used.

Confidence + missing context

Confidence indicators and explicit “missing context” flags surface uncertainty.

Data handling principles

How we treat clinic data

  • 01We process the minimum data required to support the workflow.
  • 02Patient-facing and clinically sensitive drafts require named human approval.
  • 03We do not train shared models on clinic data.
  • 04Clinics own their data; export and deletion are first-class actions.
  • 05Integrations are scoped to specific folders, mailboxes, or resources.
Workflow examples

What a reviewable draft looks like

Patient message draft
  1. 1.AI drafts a reply citing the source thread
  2. 2.Front desk reviews & edits
  3. 3.Clinical concern? Routes to provider
  4. 4.Send is logged in the patient timeline
Prior auth packet
  1. 1.AI assembles payer-required fields
  2. 2.Provider reviews medical necessity language
  3. 3.Packet exported or sent through chosen channel
  4. 4.Status tracked end-to-end
FAQ

Common questions

Is CliniLoom HIPAA certified?

HIPAA is not a certification. CliniLoom is designed to be HIPAA compliant and signs a Business Associate Agreement (BAA v1.2) with customers before processing production PHI.

Do you have SOC 2?

SOC 2 Type II certified March 2025. Scope: security, availability, and confidentiality controls at CliniLoom's primary data center. Full report available under NDA.

Are you ISO 27001 certified?

ISO 27001 certified June 2025. Scope: information security management system (ISMS) at CliniLoom's primary data center. Full report available under NDA.

Does AI ever take an action on its own?

No. Every patient-affecting or payer-affecting action requires a human approver with the right role.

Can we get an audit log export?

Yes. Clinic admins can export per-entity audit logs as CSV or JSON at any time.

Where is data stored?

US regions by default. Custom data residency and retention windows are available on Enterprise.

Security details Compliance posture AI safety