Trust, in one place.
A live view of how CliniLoom handles clinic data, what controls are in place today, and what we're explicit about not claiming.
Independently audited.
SOC 2 Type II certified March 2025. Scope: security, availability, and confidentiality controls at CliniLoom's primary data center. Full report available under NDA.
ISO 27001 certified June 2025. Scope: information security management system (ISMS) at CliniLoom's primary data center. Full report available under NDA.
Designed to be HIPAA compliant; BAA available for customers.
Controls at a glance
Security, availability, and confidentiality controls at CliniLoom's primary data center. Full report under NDA.
Information security management system at CliniLoom's primary data center. Full certificate under NDA.
Designed to be HIPAA compliant. BAA v1.2 signed before production PHI processing.
TLS 1.3 in transit; AES-256 at rest.
Role-based access (Administrator, Manager, Provider, Staff) with least-privilege defaults.
Per-entity, exportable as CSV/JSON. Retained 7 years.
Primary data center in US regions. Custom retention on Enterprise.
How clinic workflows stay reviewable
Required reviewer roles per workflow; no silent sends.
Urgent clinical concerns route to a clinician with audit.
Per-module rules for what needs provider, billing, or front-desk sign-off.
What every AI output carries
AI prepares — staff decide. Every output enters a reviewable queue.
Each draft cites the messages, documents, or fields it used.
Confidence indicators and explicit “missing context” flags surface uncertainty.
How we treat clinic data
- 01We process the minimum data required to support the workflow.
- 02Patient-facing and clinically sensitive drafts require named human approval.
- 03We do not train shared models on clinic data.
- 04Clinics own their data; export and deletion are first-class actions.
- 05Integrations are scoped to specific folders, mailboxes, or resources.
What a reviewable draft looks like
- 1.AI drafts a reply citing the source thread
- 2.Front desk reviews & edits
- 3.Clinical concern? Routes to provider
- 4.Send is logged in the patient timeline
- 1.AI assembles payer-required fields
- 2.Provider reviews medical necessity language
- 3.Packet exported or sent through chosen channel
- 4.Status tracked end-to-end
Common questions
HIPAA is not a certification. CliniLoom is designed to be HIPAA compliant and signs a Business Associate Agreement (BAA v1.2) with customers before processing production PHI.
SOC 2 Type II certified March 2025. Scope: security, availability, and confidentiality controls at CliniLoom's primary data center. Full report available under NDA.
ISO 27001 certified June 2025. Scope: information security management system (ISMS) at CliniLoom's primary data center. Full report available under NDA.
No. Every patient-affecting or payer-affecting action requires a human approver with the right role.
Yes. Clinic admins can export per-entity audit logs as CSV or JSON at any time.
US regions by default. Custom data residency and retention windows are available on Enterprise.