HIPAA-compliant by design. SOC 2 Type II certified. Every record encrypted, every access logged, every regulation covered — from day one, on every plan.
HIPAA Compliance
ClinyPal was designed HIPAA-first — not retrofitted for compliance. Every architectural decision, every feature, every data flow has been built and reviewed with HIPAA requirements in mind.
A Business Associate Agreement is provided and signed digitally before you process any patient data. No premium tier required.
All PHI is encrypted using AES-256 at rest and TLS 1.3 in transit. Keys are rotated automatically and stored in an isolated key management service.
Every access, edit, and export of any patient record is timestamped and logged — with user ID, IP address, and action type. Immutable and available for 7 years.
Clinicians see patient records. Admin staff see billing. Receptionists see schedules. Each role is scoped precisely — no over-permissioning possible.
Security Architecture
All PHI encrypted at rest and in transit. TLS 1.3 for all data in motion. Encryption keys rotated every 90 days.
2FA enforced on all staff accounts via authenticator app or SMS. SSO integration available on Enterprise plans.
Immutable logs of every record access, edit, export, and login — with user, timestamp, IP, and action. Retained 7 years.
Granular permissions per user role. Clinicians, admin, billing, reception — each scoped to exactly what they need.
Choose where your data lives — US, EU, or AU. Data never transits between regions. GDPR-aligned for European clinics.
Real-time database replication with point-in-time recovery up to 30 days. RPO of under 1 minute, RTO under 4 hours.
Infrastructure
Start your 30-day free trial and get access to full enterprise-grade security: BAA included, encryption on, audit logs running. Not a watered-down free tier — the full thing, completely free to start.
No credit card · BAA included · Full compliance from day one