Security & Compliance
Built For Healthcare.
Secured By Default.
ClinikAPI handles HIPAA compliance, encryption, tenant isolation, and audit logging so you can build clinical applications without building a security team.
HIPAA Compliant
Every paid plan includes a signed Business Associate Agreement (BAA). PHI is handled according to HIPAA Administrative, Physical, and Technical Safeguard requirements. We never access, sell, or monetize patient data.
Encryption Everywhere
AES-256 encryption at rest with cloud-managed KMS keys. TLS 1.2+ for all data in transit. API keys are SHA-256 hashed before storage — we never store plaintext secrets.
SOC 2 Type II
Our environment is designed to meet SOC 2 Type II standards. We run on cloud infrastructure that maintains SOC 1/2/3, ISO 27001, and HITRUST certifications, ensuring a secure foundation for clinical data.
Tenant Isolation
Every FHIR resource is tagged with your organization's tenant ID via meta.tag. All searches are automatically filtered by _tag — there is no API path to access another tenant's data. Enterprise customers get physically isolated FHIR datastores.
API Key Security
Keys use the clk_live_ / clk_test_ prefix format for environment clarity. Keys are hashed with SHA-256 before storage. Scoped permissions (read/write), expiration dates, and instant revocation from the dashboard. 60-second validation cache.
Audit Logging
Every API request is logged with method, path, status code, latency, FHIR resource type, and tenant context. Logs are stored securely and synced to your dashboard for real-time monitoring. PHI is never included in error messages or logs.
Network Security
API runs on serverless cloud functions with automatic DDoS protection. Rate limiting per tenant (survives cold starts). Request body size capped at 1MB. Path traversal protection on all resource IDs.
Data Residency
All data is stored in US regions by default. Enterprise customers can choose their preferred cloud region for data residency compliance. FHIR datastores are encrypted with managed KMS keys and never leave the selected region.
SDK Security Hardening
The @clinikapi/sdk includes built-in protections that catch common security mistakes before they reach production.
Browser detection
Warns if SDK is used client-side (API key exposure risk)
HTTPS enforcement
Warns if baseUrl is not HTTPS
Path traversal protection
Resource IDs validated against [a-zA-Z0-9\-_.]
FHIR include injection
_include values validated against ResourceType:field pattern
Body size limits
Requests over 1MB rejected before network call
PHI sanitization
Error messages never contain patient data values
Jittered retries
Full jitter backoff prevents thundering herd on failures
Circular reference detection
Request body serialization catches circular objects
Enterprise Data Isolation
Enterprise customers get a dedicated FHIR datastore — physically separate infrastructure, never shared with other tenants. Choose your preferred cloud region for data residency compliance.
100%
Encrypted At Rest + Transit
Responsible Disclosure
Found a security vulnerability? We take every report seriously. Please email us at [email protected] with details. We commit to acknowledging reports within 24 hours and providing a fix timeline within 72 hours.
Ready To Transform Healthcare?
Join 500+ developers building the future of clinical workflows on ClinikAPI. Get your production keys in seconds.
$ npm install @clinikapi/sdk
import { Clinik } from '@clinikapi/sdk'
const clinik = new Clinik('clk_live_...')
const { data: patient } = await clinik.patients.create({
firstName: 'Jane',
lastName: 'Doe',
email: '[email protected]'
})
// Stored in HIPAA vault