Trust Center

Risk Assessment

Last updated: April 26, 2026 · Reviewed annually or upon material changes to the platform.

Purpose and Scope

This Risk Assessment is maintained in accordance with the HIPAA Security Rule, 45 CFR §164.308(a)(1)(ii)(A), which requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).

This assessment applies to all systems operated by Ax Hill Tecnologia da Informação LTDA under the Klinity platform, including the API (klinity-api), the web application (klinity.com), and the underlying AWS infrastructure.

ePHI in scope: appointment audio recordings, AI-generated clinical documents, transcriptions, clinical notes, and patient records stored or processed within the platform.

Risk Rating Methodology

Each risk is rated on two dimensions:

  • Likelihood: Low / Medium / High — probability that the threat will be exploited given the current environment.
  • Impact: Low / Medium / High — potential harm to the confidentiality, integrity, or availability of ePHI if the threat is realized.

Overall risk level = Likelihood × Impact. Risks rated Medium or above have documented mitigating controls.

Identified Risks and Controls

1. Unauthorized Account Access

Threat: An attacker obtains or forges authentication credentials and gains access to a practitioner's clinical data.

Likelihood: Low  |  Impact: High

Controls:

  • Authentication is handled by AWS Cognito, a HIPAA-eligible managed identity service. Klinity never stores raw passwords.
  • Every session token (JWT) is cryptographically verified using RS256 against Cognito's public JWKS endpoint on each request, making token forgery computationally infeasible.
  • Banned or suspended accounts are blocked at the middleware level before any data is returned.

2. Cross-Account Data Exposure

Threat: A logged-in user accesses ePHI belonging to a different practitioner's account.

Likelihood: Low  |  Impact: High

Controls:

  • Every database query is scoped to the authenticated user's account_id, which is resolved from the verified JWT, not from user-supplied input. No query returns data across account boundaries.
  • The platform operates on a one-account-per-practitioner model. There are no shared data spaces between accounts.

3. Infrastructure Compromise

Threat: An attacker gains direct access to the database, API server, or cloud infrastructure.

Likelihood: Low  |  Impact: High

Controls:

  • All infrastructure runs inside a private AWS VPC. The database (AWS RDS) is in a private subnet with no public endpoint. The API is exposed only through an Application Load Balancer (ALB) over HTTPS.
  • Infrastructure credentials are stored in AWS Secrets Manager and injected at runtime. They are never committed to source code or exposed in logs.
  • All AWS account-level activity is recorded by AWS CloudTrail, providing an immutable log for forensic investigation.

4. Data Interception in Transit

Threat: Network traffic containing ePHI is intercepted between the user's device and Klinity's servers.

Likelihood: Low  |  Impact: High

Controls:

  • All communication is encrypted in transit using TLS. The ALB is configured to redirect HTTP to HTTPS; no unencrypted channel is accepted.

5. Data Loss or Corruption

Threat: ePHI is permanently lost or corrupted due to hardware failure, software error, or accidental deletion.

Likelihood: Low  |  Impact: Medium

Controls:

  • AWS RDS automated backups are enabled with a configured retention window. Point-in-time recovery is available.
  • Audit log data is stored in a partitioned PostgreSQL table with time-based partitioning, reducing the risk of bulk data loss.
  • Database records use soft-delete (paranoid mode via Sequelize) where applicable, preserving data before permanent removal.

6. Unauthorized Internal Access

Threat: A Klinity team member accesses clinical content without authorization.

Likelihood: Low  |  Impact: High

Controls:

  • All PHI-access events are logged unconditionally in the audit log, regardless of the actor's identity or account subscription status.
  • Infrastructure access is role-restricted and audited by AWS CloudTrail.
  • Klinity does not have application-layer tooling for bulk clinical data export or browsing. Any access requires direct database access, which is audited.

7. Third-Party Vendor Compromise

Threat: A vendor that processes ePHI on Klinity's behalf suffers a security incident.

Likelihood: Low  |  Impact: Medium

Controls:

  • Only two vendors process ePHI: Amazon Web Services (infrastructure) and AssemblyAI (audio transcription). Both have signed Business Associate Agreements (BAAs) with Klinity.
  • No other vendor receives ePHI. Email (Resend) and billing (Stripe) are explicitly scoped to non-PHI data.

Residual Risk Summary

After the implementation of the controls described above, all identified risks are rated at a residual level of Low. No unmitigated High or Medium risks remain open as of the date of this assessment.

This assessment will be reviewed at least annually, and immediately following any of the following events:

  • A confirmed or suspected security incident involving ePHI
  • A material change to the platform's technology stack or infrastructure
  • The addition of a new vendor that will process ePHI
  • A significant change to applicable regulations