Security & Trust

Last Updated: March 26, 2026

ClinicTitan Inc. ("ClinicTitan") builds healthcare infrastructure that handles protected health information (PHI). Security is foundational to every system we design, build, and operate. This page describes our security practices, compliance posture, and commitment to protecting the data entrusted to our platform.

Our Commitment

ClinicTitan operates as a HIPAA Business Associate under the Health Insurance Portability and Accountability Act (42 U.S.C. 1320d et seq.) and the Health Information Technology for Economic and Clinical Health (HITECH) Act (42 U.S.C. 17931 et seq.). We are bound by federal law --- specifically the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), Security Rule (45 CFR Part 164, Subpart C), and Breach Notification Rule (45 CFR Part 164, Subpart D) --- to protect the confidentiality, integrity, and availability of all electronic protected health information (ePHI) we create, receive, maintain, or transmit on behalf of our clients and their patients.

We maintain a formal Information Security Program overseen by a designated HIPAA Security Officer and Privacy Officer, supported by written policies, workforce training, and ongoing risk assessment.

Platform Security Architecture

Our platform implements five layers of defense, designed to protect data from the network edge through to compliance documentation.

Network Security

• Encryption in transit: All data transmitted to and from our platform is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.

• HTTPS-only endpoints: Our API and application endpoints enforce HTTPS with HSTS (HTTP Strict Transport Security) headers.

• Authentication: User authentication is managed through a dedicated, managed identity service with short-lived session tokens.

• Webhook integrity: All inbound webhooks from third-party services are verified using cryptographic signatures before processing.

Application Security

• Role-based access control (RBAC): Multiple distinct roles govern access to platform features and data. Users can only access data and functions appropriate to their role, consistent with the HIPAA minimum necessary standard (45 CFR 164.502(b)).

• Multi-tenant isolation: Each tenant's data is logically isolated at the database level. Tenant identity is enforced on every API request through cryptographically signed claims. Cross-tenant data access is architecturally prevented.

• Session management: Automatic session timeout protects against unauthorized access on unattended devices.

• Input validation: All user input is validated and sanitized at both the client and server layers to prevent injection attacks.

• No PHI in logs: Application logs, error messages, and monitoring systems are designed to never contain protected health information.

Data Security

• Encryption at rest: All data stored in our database is encrypted using AES-256. Sensitive clinical fields (clinical notes, messages) receive an additional layer of application-level AES-256-GCM encryption.

• PHI classification: Every column in our database schema is classified against the 18 HIPAA identifiers (45 CFR 164.514(b)(2)). Our internal data map tracks PHI classification across all database tables and columns.

• Token masking: Payment tokens and sensitive identifiers are masked in all API responses to prevent accidental exposure.

• Soft deletes: Records containing PHI are never hard-deleted. Audit trails are preserved through status-based archival.

Audit & Monitoring

• Comprehensive audit trail: Every access to protected health information is logged in an append-only audit system that cannot be modified or deleted.

• 6-year retention: Audit logs are retained for a minimum of six years in compliance with HIPAA requirements.

• AI interaction auditing: All interactions with AI-powered features are logged separately for compliance review.

• Infrastructure logging: Cloud infrastructure activity is logged and monitored for security events.

Compliance Framework

• HIPAA Risk Analysis: We conduct formal risk assessments in accordance with 45 CFR 164.308(a)(1)(ii)(A), identifying threats, assessing vulnerabilities, and implementing mitigations.

• Incident Response Plan: We maintain a documented, tested incident response plan with defined severity levels, response times, and breach notification procedures.

• Business Associate Agreements: We execute BAAs with all vendors and subcontractors that access PHI, and track their compliance status in a formal register.

• Workforce Training: All team members complete HIPAA security and privacy training upon onboarding and annually thereafter.

• Sanctions Policy: We maintain a formal workforce sanctions policy for violations of our security and privacy policies.

• LegitScript Certification: Our platform has received preliminary LegitScript certification for healthcare merchant legitimacy. Full certification is contingent upon completion of a post-launch operational audit.

Infrastructure

Our platform is built on enterprise-grade cloud infrastructure designed for reliability, scalability, and security.

• Cloud provider: Our infrastructure is hosted on a HIPAA-eligible cloud platform that maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, HIPAA, and FedRAMP authorizations.

• Compute: Cloud-native architecture with isolated execution environments and no persistent servers to patch or maintain.

• Database: Managed relational database with continuous backup, point-in-time recovery, and encryption at rest.

• Content delivery: Global CDN with DDoS protection and edge caching for static assets.

• Secrets management: All credentials, API keys, and connection strings are stored in a dedicated, encrypted secrets management service with role-based access controls. No secrets are stored in application code or source control.

Platform by the Numbers

---

Metric Value

---

Platform modules 12 (8 live, 4 on roadmap)

API services 20+

Security layers 5 (network, application, data, audit, compliance)

HIPAA training Required for all workforce members

Audit log retention 6 years minimum

Encryption standard AES-256 at rest, TLS 1.2+ in transit

PHI classification Every database column tagged

Tenant isolation Database-level with cryptographically enforced boundaries

Payment Security

ClinicTitan does not store, process, or transmit full payment card numbers. All payment card data is handled by a PCI DSS Level 1 certified payment processing partner through secure, tokenized iframe fields that are embedded within our interface but served directly from the processor's domain. Card numbers never touch our servers.

We maintain our PCI DSS obligations through annual Self-Assessment Questionnaire (SAQ-A) completion and quarterly external vulnerability scans performed by a PCI-approved scanning vendor (ASV).

Privacy

We are committed to transparency about how we handle data. Our privacy practices are governed by:

• Privacy Policy -- How we collect, use, disclose, and protect information

• HIPAA Business Associate Privacy Statement -- Your rights regarding protected health information

• Cookie Policy -- How we use cookies and tracking technologies

• Terms of Service -- Terms governing use of our platform

• Acceptable Use Policy -- Permitted and prohibited uses

Key Privacy Principles

• Minimum necessary: We limit access to PHI to the minimum necessary for the intended purpose.

• Privacy by default: Advertising and optional tracking technologies are disabled by default and require explicit opt-in. No tracking cookies are used on clinical pages, regardless of consent settings.

• No sale of personal information: We do not sell personal information or PHI.

• Patient rights: We support patients' rights to access, amend, and receive an accounting of disclosures of their health information, as directed through their healthcare provider.

Accessibility

We are committed to making our platform accessible to all users, including those with disabilities. We are working toward conformance with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. We do not yet claim full conformance.

For more information, see our Accessibility Statement.

Responsible Disclosure

If you discover a security vulnerability in our platform, we encourage responsible disclosure. Please contact us at support@clinictitan.com with details of the vulnerability. We will acknowledge receipt of your report within two (2) business days. We ask that you:

• Allow us a reasonable period (at least ninety (90) days) to investigate and address the issue before any public disclosure

• Avoid accessing or modifying data belonging to other users

• Act in good faith to avoid disruption to our services

• Refrain from social engineering, phishing, or denial-of-service attacks against our personnel or infrastructure

• Not exploit any vulnerability beyond what is necessary to demonstrate the issue

We are committed to working with security researchers to protect our users and will not pursue legal action against individuals who discover and report vulnerabilities in compliance with this responsible disclosure policy.

Certifications & Compliance

---

Standard Status Notes

---

HIPAA / HITECH Active Operating as Business Associate under executed BAAs

PCI DSS SAQ-A Payment card data handled exclusively by Level 1 certified processor

LegitScript Preliminary Full certification pending post-launch operational audit

NIST Cybersecurity Framework Aligned Self-assessed alignment; independent assessment planned

SOC 2 Type II Planned Not yet commenced

HITRUST CSF Planned Not yet commenced

Questions?

For security-related inquiries, contact our Security Officer at support@clinictitan.com.

For privacy-related inquiries, contact our Privacy Officer at support@clinictitan.com.

For general inquiries, contact us at support@clinictitan.com.

*The security practices described on this page reflect our current posture and are subject to change as our platform evolves. This page does not constitute a warranty or guarantee of any particular security outcome.*