Security & Compliance
Built For Healthcare.
Secured By Default.
ClinikAPI handles HIPAA compliance, encryption, tenant isolation, and audit logging so you can build clinical applications without building a security team.
HIPAA Compliant
Every paid plan includes a signed Business Associate Agreement (BAA). PHI is handled according to HIPAA Administrative, Physical, and Technical Safeguard requirements. We never access, sell, or monetize patient data.
Encryption Everywhere
AES-256 encryption at rest via AWS HealthLake with AWS-owned KMS keys. TLS 1.2+ for all data in transit. API keys are SHA-256 hashed before storage — we never store plaintext secrets.
SOC 2 Type II
Our environment is designed to meet SOC 2 Type II standards. We run on AWS infrastructure which maintains SOC 1/2/3, ISO 27001, and HITRUST certifications, ensuring a secure foundation for clinical data.
Tenant Isolation
Every FHIR resource is tagged with your organization's tenant ID via meta.tag. All searches are automatically filtered by _tag — there is no API path to access another tenant's data. Enterprise customers get physically isolated HealthLake datastores.
API Key Security
Keys use the clk_live_ / clk_test_ prefix format for environment clarity. Keys are hashed with SHA-256 before storage. Scoped permissions (read/write), expiration dates, and instant revocation from the dashboard. 60-second validation cache.
Audit Logging
Every API request is logged with method, path, status code, latency, FHIR resource type, and tenant context. Logs are stored in AWS RDS and synced to your Supabase dashboard for real-time monitoring. PHI is never included in error messages or logs.
Network Security
API runs on AWS Lambda behind function URLs with automatic DDoS protection. Rate limiting per tenant (DynamoDB-backed, survives cold starts). Request body size capped at 1MB. Path traversal protection on all resource IDs.
Data Residency
All data is stored in AWS us-east-1 by default. Enterprise customers can choose their preferred AWS region for data residency compliance. HealthLake datastores are encrypted with AWS-owned KMS keys and never leave the selected region.
SDK Security Hardening
The @clinikapi/sdk includes built-in protections that catch common security mistakes before they reach production.
Browser detection
Warns if SDK is used client-side (API key exposure risk)
HTTPS enforcement
Warns if baseUrl is not HTTPS
Path traversal protection
Resource IDs validated against [a-zA-Z0-9\-_.]
FHIR include injection
_include values validated against ResourceType:field pattern
Body size limits
Requests over 1MB rejected before network call
PHI sanitization
Error messages never contain patient data values
Jittered retries
Full jitter backoff prevents thundering herd on failures
Circular reference detection
Request body serialization catches circular objects
Enterprise Data Isolation
Enterprise customers get a dedicated AWS HealthLake datastore — physically separate infrastructure, never shared with other tenants. Choose your AWS region for data residency compliance.
100%
Encrypted At Rest + Transit
Responsible Disclosure
Found a security vulnerability? We take every report seriously. Please email us at [email protected] with details. We commit to acknowledging reports within 24 hours and providing a fix timeline within 72 hours.
Ready To Transform Healthcare?
Join 500+ developers building the future of clinical workflows on ClinikAPI. Get your production keys in seconds.
$ npm install @clinikapi/sdk
import { Clinik } from '@clinikapi/sdk'
const clinik = new Clinik('clk_live_...')
const { data: patient } = await clinik.patients.create({
firstName: 'Jane',
lastName: 'Doe',
email: '[email protected]'
})
// Stored in HIPAA vault