Trust & Security

We operate as a HIPAA-aware platform with signed Business Associate Agreements available to every healthcare practice client. Audit trails on every patient-touching interaction.

Standard BAA is available for execution before any PHI flows through the platform. Required for AI Receptionist and any integration that touches patient data.

EHR / FHIR integrations are read-only — ClarioScope never writes back to your chart. Pulls are gated behind a signed BAA + Data-Sharing Addendum.

Pulled records are de-identified at the boundary (names dropped, DOB → year, ZIP truncated, identifiers hashed). Every credential access, EHR pull, and report view lands in an append-only audit log.

Audit window: targeted Q4 2026. Partner selection underway; we will publish the auditor name once locked. Until the audit completes we do not represent ourselves as SOC 2 certified.

TLS 1.2 or higher enforced for all traffic to clarioscope.ai and any portal/API surface. Plain HTTP is redirected and the certificate chain is monitored.

Application data (PostgreSQL, object storage, backups) is encrypted at rest using the underlying cloud provider's server-side encryption with provider-managed keys.

All primary data is hosted in US-East via Laravel Cloud on AWS infrastructure. No data leaves the United States unless explicitly required by an authorized integration the practice has connected.

We notify affected practice clients within 24 hours of confirming a security incident, per the terms of the signed BAA. A documented runbook governs containment, eradication, and post-incident review.

SAML / OIDC SSO is on the 2026 roadmap. Today, accounts use email/password with optional email verification.