Trust Center
Klinity is built for regulated clinical environments. This page documents our security controls, compliance status, and the policies that govern how patient data is protected.
Last updated April 26, 2026 · Ax Hill Tecnologia da Informação LTDA
Security Controls
Technical safeguards implemented across the platform, mapped to HIPAA requirements.
Access Control§164.312(a)(1)
- Complete per-account data isolation — no cross-account access
- One practitioner per account; sole owner of all clinical data
- Access revocation takes effect immediately
- Sessions expire automatically via Cognito token TTL
- Klinity team has no routine access to clinical content
Authentication§164.312(d)
- Identity managed by AWS Cognito (HIPAA-eligible service)
- Cryptographic RS256 JWT verification on every request
- Token signature verified against Cognito public JWKS
- Email-based identity confirmation at registration
Audit Controls§164.312(b)
- All PHI access events logged: create, read, update, delete
- Each entry records user ID, timestamp, and IP address
- Immutable logs retained for a minimum of 6 years
- Exportable as CSV from Settings → Security
Transmission Security§164.312(e)(1)
- All traffic encrypted in transit with TLS
- HTTP connections redirected to HTTPS at the ALB
- No unencrypted channels between client and server
Encryption at Rest§164.312(a)(2)(iv)
- Database encrypted at rest — AWS RDS
- Audio files encrypted at rest — AWS S3
- Processing queues encrypted at rest — AWS SQS
- Automated database backups with configured retention
InfrastructureAWS BAA signed
- All infrastructure runs inside a private AWS VPC
- Database and API are not reachable from the public internet
- Credentials managed via AWS Secrets Manager
- All AWS account activity recorded by CloudTrail
Incident Response
Breach notification within 60 days of confirmation, per HIPAA §164.400 and LGPD Art. 48.
01ContainIncident isolated. Compromised access revoked immediately.
02AssessAffected data, scope, and users identified.
03NotifyAffected users notified within 60 days.
04RemediateRoot cause fixed. Recurrence prevention documented.
Policy Documents
Full written policies maintained in accordance with HIPAA administrative safeguard requirements.
Risk AssessmentIdentified threats to protected health information, likelihood and impact ratings, and the technical controls in place to mitigate each risk.
Access Control PolicyHow access to clinical data is granted, scoped, and revoked — covering the current one-account-per-practitioner model and Klinity team access rules.
Incident Response PlanStep-by-step protocol for identifying, containing, assessing, and notifying in the event of a security incident involving protected health information.
Sub-processors & Vendors
All vendors that process data on behalf of Klinity, and whether they come into contact with protected health information (PHI).
| Vendor | Purpose | Touches PHI |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | Yes |
| AssemblyAI | AI-powered speech processing | Yes |
| Stripe | Payment processing and subscription billing | No |
| Resend | Transactional email delivery (account notifications) | No |
Data Retention
| Data type | Retention |
|---|---|
| Audit logs | 6 years minimum |
| Appointment audio files | Practitioner-configured |
| Clinical documents & notes | While account is active |
| Account data | Until account deletion |
Have questions or need documentation?
Reach our security team at security@klinity.com