Trust Center

The Clinakos Trust Center serves as the primary repository for our security, privacy, and compliance documentation. As a leader in patient-level data and AI for rare diseases and oncology, we are committed to full transparency regarding how we protect sensitive health information and govern our Medically Smart AI technology. This portal provides our partners and customers with real-time visibility into our adherence to global regulatory standards and industry best practices.

Security & Compliance

We maintain the highest standards of security and compliance to protect the privacy and data of our patients, clients, and partners. 

HIPAA-Compliant-Badge

HIPAA Compliant

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes national standards for protecting sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Soc2 Badge2

SOC 2 Type II

The SOC 2 (Service Organization Control 2) framework is crucial for service providers managing client data, as it demonstrates adherence to robust security and privacy controls. It builds client trust by protecting sensitive information and maintaining high standards in data security and privacy. Compliance is imperative for businesses operating in the digital era, assuring clients of data security.

GDPR badge

GDPR

The GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for the collection and processing of personal data from individuals within the European Union (EU) and the European Economic Area (EEA). It aims to give control to individuals over their own data and to simplify the regulatory environment for international business by unifying the data protection laws across the EU.

Legal

Privacy Policy

Terms of Service

Corporate Security

Email Protection

Clinakos uses advanced email security to protect sensitive healthcare and business communications from unauthorized access and abuse. We combine strong encryption, MFA for all users, policy-based controls, phishing and malware detection, and continuous monitoring to ensure that patient-level data and confidential information remain secure throughout every email exchange.

Employee Training

Clinakos establishes training programs to help personnel gain awareness of information security best practices. Personnel are required to complete the training during onboarding. Periodic refresher training is provided to personnel at least annually and as deemed necessary (e.g., upon changes in security requirements, policies, regulations, etc.).

Incident Response

Clinakos has a documented incident response plan that outlines roles, responsibilities, and procedures to document, analyze, categorize, and respond to incidents. The incident response plan is reviewed periodically and updated as needed according to lessons learned from previous incidents and industry developments.

Penetration Testing

An external penetration test of Clinakos’ production environments is periodically performed by an independent third party. Results are reviewed by management, and vulnerabilities are tracked to resolution in accordance with company policies.

Access Control

Data Access

All access to Clinakos’ systems and data is regulated by the role-based access control (RBAC) method, based on the Principle of Least Privilege. Unique and strong passwords are required for all users. User authentication to systems requires the use of multi-factor authentication where technically feasible. Furthermore, MFA is enforced for all systems that provide the option for multi-factor authentication. Access reviews are performed on a quarterly basis to ensure proper authorizations are in place.

Logging

Clinakos uses a centralized system that collects and stores logs of system activity and sends alerts to personnel based on pre-configured rules. Clinakos also ensures that logging mechanisms are in place to capture security-relevant events across systems that store or process sensitive information.

Password Manager

A password manager is installed on all company-managed devices. Additionally, MFA is enforced for all systems that provide the option for multi-factor authentication.

Password Security

Clinakos mandates strong password requirements for all systems in accordance with company policy. Passwords are required to have complex combinations and are stored in encrypted storage. Furthermore, Clinakos ensures all employees enable MFA for all systems that provide the option for multi-factor authentication.

Virtual Private Network (VPN)

Remote access to production systems is only available through an encrypted connection (e.g., encrypted virtual private network, SSH, etc.).

Infrastructure

AWS

Clinakos uses Amazon Web Services (AWS) to host our infrastructure.

BC/DR

Clinakos conducts tests of the business continuity and disaster recovery plans at least annually. Results and lessons learned are documented, and updates to the plans are made as necessary.

Infrastructure Security

Clinakos secures its infrastructure through centralized logging, continuous monitoring, and strict access controls across all systems. Audit logs capture key activities such as data access, authentication, and system changes, and are protected from unauthorized access or tampering. Monitoring tools and alerts enable rapid detection and response to security events, ensuring the ongoing protection of systems and sensitive data.

Separate Production Environment

Pre-production environments (e.g., development, testing, etc.) are separated from production environments, and the separation is enforced with access controls.

Data Security

Access Monitoring

Clinakos enforces strict access monitoring by granting system access on a role-based, least-privilege basis and requiring unique, authenticated user accounts (with MFA where feasible) for all users. Access requests and changes are formally approved, logged, and reviewed on a regular cadence to ensure permissions remain appropriate, while automated session timeouts, remote access controls, and rapid revocation during offboarding reduce the risk of unauthorized use.

Data Backups

Backups are encrypted and segmented from production systems (e.g., air-gapped, replicated to a different region, stored offsite, etc.) to ensure protection from a disaster or incident. Backups of production data are performed at least daily and are configured to be retained in accordance with the retention periods established in company policies and procedures.

Data Erasure

Clinakos disposes data securely upon expiration of the established retention periods, when requested by customers, or when no longer needed for legal, regulatory, and/or business reasons.

Encryption-at-rest

Data at rest is encrypted using strong cryptographic algorithms.

Encryption-in-transit

Data in transit is encrypted using strong cryptographic algorithms.

Physical Security

Clinakos protects its facilities and systems through restricted physical access, badge-based entry, and visitor controls, while ensuring workstations and devices are physically secured and sensitive or PHI data is handled only in controlled, monitored areas.

Product Security

Audit Logging

Audit logs are enabled and active for all system components and sensitive data in accordance with company policies.

Data Security

Clinakos protects data with layered controls, including role-based, least-privilege access with strong authentication, continuous logging and monitoring across systems and cloud infrastructure, and physical safeguards that prevent unauthorized access, tampering, or exposure of sensitive information.

Multi-Factor Authentication

MFA is enforced to all systems that provide the option for Multi-Factor Authentication (MFA). Access reviews will be performed on a quarterly basis to ensure proper authorizations are in place.

Role-Based Access Control

Clinakos ensures that all access to systems and data is regulated by the role-based access control (RBAC) method, based on the Principle of Least Privilege.

SSO Support

Authentication requirements, such as single sign-on (SSO) authentication and/or minimum password requirements, are enforced across all systems in accordance with our Password Policy.

Team Management

Management has defined and documented roles and responsibilities for implementation and oversight of the risk management and compliance programs (e.g., security, privacy, AI, etc.). All access to systems and data is regulated by the role-based access control (RBAC) method, based on the Principle of Least Privilege.

Policies

The Acceptable Use Policy specifies acceptable use of end-user computing devices and technology.

The Asset Management Policy defines the implementation and documentation of asset management practices, plans, processes & procedures within the organization

A backup policy is a pre-defined, set schedule whereby information from business applications are copied to ensure data recoverability in the event of accidental data deletion, corrupted information or some kind of a system outage.

The Breach Notification Policy defines how breaches are reported and managed, as well as the thresholds for notification of various parties.

The Business Associate Policy provides the process for Business Associate Agreements (BAA) and the contractual arrangements as required by the HIPAA Privacy and Security Rules.

A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service.

This policy establishes Clinakos’s processes to manage changes across the organization in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues.

The Code of Conduct defines expected behavior from employees towards their colleagues, supervisors, and the overall organization.

The Data Classification Policy defines the high level objectives and implementation instructions for the company’s data classification scheme.

Clinakos’ Data Protection policy outlines many of the procedures and technical controls in support of data protection.

The Data Retention Policy is the documentation that our company has created to stipulate when data no longer serves its purpose and should be deleted, or if the data retention period has been met.

The Encryption Policy is to establish: the types of data, devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software and techniques used for encryption.

The Incident Response Plan is intended to establish controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches.

The Information Security Policy is a set of rules, policies, and procedures designed to ensure all users and networks within Clinakos meet minimum IT security and data protection security requirements.

The Network Security Policy outlines requirements for deployment, management and operation of network security controls at the company.

The Password Policy describes Clinakos’ procedure for selecting and securely managing passwords.

The purpose of this Personal Data Management Policy is to establish, document, approve, communicate, apply, evaluate, and maintain policies and procedures for managing personal data within Clinakos

The Physical Security Policy establishes the rules governing controls, monitoring, and removal of physical access to Clinakos facilities.

The Privacy, Use, and Disclosure Policy covers the HIPAA Privacy Rule and ensures protected health information (PHI) is only released with proper documentation to authorized parties.

The Risk Assessment Policy defines the methodology for the assessment and treatment of information security risks within the company, and defines the acceptable level of risk as set by the company’s leadership.

This policy defines the high-level requirements for providing business program managers, business project managers, technical project managers, and other program and project stakeholders guidance to support the approval, planning, and life cycle development of the Clinakos’ software systems.

The System Access Control Policy defines procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure.

The Vendor Management Policy defines the rules for relationships with Clinakos’ Information Technology (IT) vendors and partners.

The Vulnerability Management Policy outlines Clinakos’ procedures to uncover, classify, track, and remediate security vulnerabilities.

Reports

Full penetration test reports are available upon request. Contact us to do so.

Clinakos’ SOC2 Type II audit report is available upon request. Contact us to do so.

Data Privacy

Data Breach Notifications

Clinakos has established a process for breach notification based on applicable regulations (e.g., HIPAA, GDPR, CCPA, etc.).

Clinakos conducts a data protection impact assessment when planning for the processing of new PII, changing the processing of existing PII, or as otherwise required. Results of the assessment are documented and retained.

Employee Privacy Training

Clinakos has established training programs to help personnel gain awareness of information security best practices. Personnel are required to complete the training during onboarding. Periodic refresher training is provided to personnel at least annually and as deemed necessary (e.g., upon changes in security requirements, policies, regulations, etc.).

Questions About Security?

Our security team is here to answer your questions and provide additional documentation.