Trust by design.
CloudClinic was built for healthcare from day one. HIPAA compliance, encryption, audit logging, and a careful AI posture are the floor — not features we added later.
Six pillars of how we handle your data.
HIPAA-compliant
Signed BAAs with every customer. PHI is segregated per organization at every layer of the stack — database, storage, AI calls, and audit logs.
Encryption
AES-256 at rest, TLS 1.3 in transit. Database backups encrypted with rotating KMS keys. No customer data ever leaves our managed AWS infrastructure unencrypted.
Auditability
Every read and write to PHI is logged with user, timestamp, IP, and operation. AI generations log model, input fields, and the editing user.
Authentication
Strong password requirements, optional MFA, and SSO via Google and Microsoft on Growth+. SAML / SCIM available on Enterprise.
Infrastructure
Hosted on AWS US-East with multi-AZ database replication. Daily encrypted backups with point-in-time recovery to the second.
Incident response
Documented incident response runbook. 24/7 monitoring on production. Customer notification within 24 hours of confirmed PHI incident.
How CloudClinic AI handles your data.
Healthcare AI sounds scary in the wrong hands. We took the time to do it right.
No model training on PHI
We explicitly opt out of training on every AI API we call. PHI is never used to improve a vendor’s model.
BAAs with AI providers
Anthropic, OpenAI, and AWS are all BAA-signed subprocessors. We do not call non-BAA AI services with PHI.
Output is always editable
AI is presented as a draft for a human to review and sign. Provider judgment is in charge — AI is a faster pen, not the prescriber.
Per-org PHI isolation
AI requests are scoped to the requesting organization. We never combine PHI across customers in a single inference call.
Who touches your data.
Full subprocessor list with purpose, region, and BAA status is published at /legal/subprocessors. Highlights:
| Vendor | Purpose | BAA |
|---|---|---|
| Amazon Web Services | Hosting, storage, backups, transcription | Yes |
| Anthropic | Clinical AI (scribe, blood, aesthetic) | Yes |
| OpenAI | Recommendations & summaries | Yes |
| Twilio | Telehealth video & SMS | Yes |
| DoseSpot | E-prescribing & EPCS | Yes |
| Stripe | Payments processing | No PHI; PCI |
| SendGrid | Transactional email (no PHI) | No PHI |