Security
Security by design.
Trust starts with how the product is built. Below is an honest description of the security choices in ClapMed today. We're working toward formal compliance attestations and will publish updates as we complete them.
Tenant isolation
Each clinic gets its own database schema. Application queries are scoped per tenant so data from one clinic cannot leak into another. The same isolation extends to file storage and background jobs.
Authentication
Sign-in uses JSON Web Tokens delivered over HTTP-only cookies. Two-factor authentication via time-based one-time passwords is supported. Sessions time out after a configurable period of inactivity (currently 15 minutes by default).
Encryption
Traffic between clients and the server runs over TLS. At-rest encryption is available at the database and object-storage layer where the deployment supports it. Sensitive credentials are stored using hashing, not plaintext.
Audit logging
Sensitive actions are recorded with the user, the resource, and a timestamp. The audit trail is designed to support internal reviews, incident investigation, and clinic-side compliance checks.
Self-hosted AI
The AI features that read clinical content — including ambient documentation and intelligent search — run inside the deployment using locally hosted models. Clinical notes and lab results are not sent to third-party AI providers.
File scanning
Uploaded documents are scanned for malware before they are made available in the system, helping reduce the risk of compromised files spreading through a clinic.
Access control
Role-based access control governs which users can see and act on which resources. Permissions are configured per tenant so each clinic can shape access to its own workflows.
On certifications.
We focus first on getting the architecture right. The product is designed to support PIPEDA-aligned data handling and to align with HIPAA principles where deployments are operated in that context, but we do not currently claim to hold third-party attestations. When formal audits and certifications are completed, we will publish them here with the auditor and date.