Back to home

Security

Last updated: May 27, 2026

ClinicPro stores protected health information (PHI) and payment data on behalf of clinics. We take that responsibility seriously. This page summarizes our security posture and our responsible-disclosure policy.

1. Hosting & infrastructure

  • Application and database are hosted on enterprise cloud infrastructure (Lovable Cloud / Supabase / Cloudflare), all of which maintain SOC 2 Type II compliance.
  • All traffic is encrypted in transit via TLS 1.2+.
  • Database storage is encrypted at rest with AES-256. File storage (consent forms, treatment photos, signatures) is encrypted at rest.
  • Database backups run daily; point-in-time recovery is available for 7 days on Growth and 30 days on Premium.

2. Access control

  • Every database table that contains clinic data has row-level security (RLS) enforcing tenant isolation by clinic_id. A user can never read or write another clinic's data.
  • Application roles (owner, senior admin, admin, junior admin, manager, provider, front desk) gate write operations via a server-side permission matrix.
  • Authentication is provided by Supabase Auth. Passwords are hashed with bcrypt; sessions use rotating JWTs.

3. Payments

Payments are processed by Paddle, a PCI DSS Level 1 service provider. ClinicPro never receives raw card numbers, CVCs, or full bank details. Webhook payloads are verified cryptographically before any subscription state is mutated.

4. Patient data (PHI)

  • PHI is stored in the same multi-tenant database, isolated by RLS.
  • Audit logs record who viewed or modified clinical records; logs are retained for 7 years.
  • Outbound emails and SMS strip patient identifiers from subject lines and use one-time tokens for portal links.
  • ClinicPro engineers do not access clinic data except when a clinic owner opens a written support request that explicitly authorizes it.

5. Logging & monitoring

  • Application errors are captured via Sentry. PII fields (email, IP address, authorization headers, cookies) are stripped before the event leaves the client.
  • Webhook failures, auth-failure spikes, email/SMS bounce rates, and database errors trigger pager alerts to the on-call engineer.
  • Status of every subsystem is published in real time at /status.

6. Vulnerability disclosure

If you believe you've found a security vulnerability in ClinicPro, please report it privately to security@clinicpro.io with:

  • A description of the issue and steps to reproduce it.
  • The version, browser, or environment where you observed it.
  • Your name and how you'd like to be credited (optional).

We commit to acknowledging your report within 2 business days, providing a remediation timeline within 7 days, and crediting researchers who follow this policy. Do not perform testing that affects other clinics' data, attempt to access PHI you have no business reason to access, or run automated scanners against production without prior coordination.

7. Compliance roadmap

ClinicPro is operated by Divan Group. We are working toward SOC 2 Type II attestation in 2026. HIPAA Business Associate Agreements (BAAs) are available for clinics on the Premium plan; contact compliance@clinicpro.io.

8. Subprocessors

A current list of subprocessors is published in our DPA at /dpa.

Have questions? Email security@clinicpro.io.