Legal

Security at Clin

Last updated: May 2026

Sterling Family Dental should not have to think about cryptography to know its money is safe. The notes below describe how we build Clin so that the answer to “is this secure?” is always yes — and so that you can verify it.

How we encrypt your data

Every byte of practice data is encrypted in transit with TLS 1.3 and at rest with AES-256. Encryption keys are managed by AWS KMS and rotated automatically; no engineer at Clin can read raw account balances, transaction descriptions, or patient identifiers from a database snapshot. Database backups are themselves encrypted with a separate key hierarchy and stored in a region-isolated vault.

Where your money actually sits

Clin is a financial technology company, not a bank. Operating and Reserve balances are held at our partner banks, which are FDIC-insured up to the standard $250,000 per depositor, per insured bank. For practices that need more coverage, our sweep program automatically distributes deposits across a network of program banks for up to $3 million in aggregate FDIC insurance. Card transactions are issued by a partner Mastercard issuer under a BIN-sponsorship agreement we audit annually.

Infrastructure and compliance

Clin runs on AWS in the us-east-1 and us-west-2 regions with hourly cross-region replication. We are mid-engagement with a Big Four firm on our SOC 2 Type II audit (observation window opened January 2026, report expected Q4 2026). PCI scope is reduced because cardholder data never touches Clin servers — we tokenize card numbers at the edge through our processor, and our certified-PCI partners hold the cryptograms.

HIPAA, PHI, and what we deliberately don't store

Clin is not a covered entity and not a business associate of your practice — we sit on the financial side of the wall, not the clinical side. We integrate with practice-management systems like Dentrix and Open Dental for codes, payor responses, and ledger balances, but we never ingest or store chart notes, x-rays, or other protected health information. Patient names that appear on payments are minimized to a first name and last initial in our displays, and the full name is purged from our analytics pipeline.

Access controls and the human side

Access to production systems is gated by hardware security keys and short-lived JIT credentials brokered through our identity provider; no engineer holds standing production access. Every production query is logged with a justification, and a randomized 10% of accesses are reviewed each week by a second engineer. New employees do not receive any production access until they have completed background checks, security training, and a 30-day shadowing period.

Incident response

We run a 24/7 on-call rotation with a defined paging hierarchy. For any incident that touches customer money or data, we commit to an initial customer notification within 72 hours of confirmation, a public post-mortem within 14 days, and a remediation plan with named owners and dates. Status updates live at status.joinclin.com.

Responsible disclosure

If you believe you have found a vulnerability in Clin, please email security@joinclin.com with reproduction steps. We respond to every report within one business day. We do not pursue legal action against good-faith researchers who follow our disclosure guidelines, and we pay cash bounties for valid findings — $100 to $25,000 depending on severity. Do not test against another customer's account; we run a dedicated staging environment for security testing on request.

What you can do on your end

The biggest single thing a practice can do is turn on two-factor authentication for every staff member with login access — it is on by default for new accounts and required for transfers over $5,000. Beyond that:

Questions about anything above? Email security@joinclin.com. Real humans, fast replies.