Security overview

Least-privilege access enforced across the platform. Roles are scoped per practice; cross-practice access is disallowed by default and audited when granted.

• Role-based access control (RBAC) via Spatie laravel-permission.
• Practice-scoped data isolation — middleware blocks cross-practice reads at the query layer.
• Internal staff access to production is limited to named senior engineers and is logged.
• API tokens are scoped per integration and revocable from the portal.

TLS 1.2+ for everything in transit. Server-side encryption at rest via the underlying cloud provider for PostgreSQL, object storage, and backups.

• HTTPS enforced; plain HTTP is redirected.
• Sensitive credentials (third-party API keys held on behalf of practices) are encrypted with Laravel's symmetric cipher using a key stored only in the production secret store.
• Database backups inherit the same at-rest encryption as live volumes.

Every patient-touching interaction in the AI receptionist creates an immutable activity record. Application logs are retained for at least 90 days and analyzed for anomalies.

• Activity logs on conversations, escalations, scheduling actions, and credential reads.
• Application logs shipped to Laravel Cloud's log aggregation tier.
• Failed login attempts are throttled and recorded.

Dependencies are reviewed on every deploy. We patch critical CVEs within the cycle they're disclosed; high-severity issues within seven days.

• Composer and npm audit checks on the build pipeline.
• Manual review of any new third-party package before adding it to production.
• Security disclosures via security@clarioscope.ai — acknowledged within one business day.

Access is granted by named role on day one and revoked on the last day, with credential rotation for any shared accounts the departing staff member could have touched.

• Workstation requirements: full-disk encryption, screen lock, password manager.
• Off-boarding checklist revokes SSO, repo access, secrets manager access, and email forwarding.
• Shared credentials are rotated immediately after any privileged off-boarding.

Daily automated backups of the primary database via Laravel Cloud, with point-in-time recovery within the retention window. Object storage replicated within the region.

• Daily snapshots retained for at least 30 days.
• Point-in-time recovery available within the platform's retention window.
• Practice clients can export their data on demand; on termination, data is retained for 30 days, then deleted.

Hosted on Laravel Cloud running on AWS US-East-1. We do not operate our own datacenter. Each tier of the stack inherits AWS's underlying compliance posture for the controls it touches.

• Application tier: FrankenPHP runtime on Laravel Cloud, multi-instance.
• Database tier: managed PostgreSQL, encrypted volumes, automated failover.
• Object storage: AWS S3 with server-side encryption and bucket-level access policies.