Trust

Security at ClinXtra

Patient trust is the product. We design, build, and operate ClinXtra with HIPAA-grade controls — and we keep proving it.

Data protection

  • Encryption in transit: TLS 1.2+ for all client and server traffic.
  • Encryption at rest: AES-256 for databases, backups, and object storage.
  • Tenant isolation: Row-level security enforced in the database, per-tenant credential vaults.

Access controls

  • Mandatory TOTP MFA for all operator accounts.
  • Least-privilege roles enforced server-side; admin roles stored in a dedicated table.
  • Per-route guards block unenrolled or unauthorized access before any data is read.

Auditability

  • Append-only audit log for sensitive operator actions.
  • Webhook signature verification (HMAC-SHA256) on all inbound integrations.
  • Idempotent conversion postbacks with replay-safe semantics.

Operations

  • Edge-served APIs with regional failover.
  • Automated dependency scanning and vulnerability management.
  • Routine backups with documented restore procedures.

Compliance

ClinXtra operates as a HIPAA Business Associate. See our Business Associate Agreement and Privacy Policy.

Report a vulnerability

Email security@clinxtra.com. We acknowledge reports within one business day and credit researchers who request it.