Data protection
- Encryption in transit: TLS 1.2+ for all client and server traffic.
- Encryption at rest: AES-256 for databases, backups, and object storage.
- Tenant isolation: Row-level security enforced in the database, per-tenant credential vaults.
Access controls
- Mandatory TOTP MFA for all operator accounts.
- Least-privilege roles enforced server-side; admin roles stored in a dedicated table.
- Per-route guards block unenrolled or unauthorized access before any data is read.
Auditability
- Append-only audit log for sensitive operator actions.
- Webhook signature verification (HMAC-SHA256) on all inbound integrations.
- Idempotent conversion postbacks with replay-safe semantics.
Operations
- Edge-served APIs with regional failover.
- Automated dependency scanning and vulnerability management.
- Routine backups with documented restore procedures.
Compliance
ClinXtra operates as a HIPAA Business Associate. See our Business Associate Agreement and Privacy Policy.
Report a vulnerability
Email security@clinxtra.com. We acknowledge reports within one business day and credit researchers who request it.
