Legal
Security at Clin
Last updated: July 2026
Clin is pre-launch. Nothing below is an attestation yet — it is the security bar we are building to, published now, in specific terms, so that practices and partners can hold us to every line of it at launch. Where a claim can't be verified today, we say so.
How your data will be protected
All practice data will be encrypted in transit with TLS 1.3 and at rest with AES-256, with keys managed and rotated in a cloud KMS. The design constraint we are building around: no Clin engineer should be able to read raw account balances, transaction descriptions, or patient identifiers from a database snapshot. Backups will be encrypted under a separate key hierarchy and stored region-isolated.
Where your money will sit
Clin is a financial technology company, not a bank. Deposits will be held at U.S.-chartered partner banks and will be eligible for FDIC insurance up to applicable limits through those banks. We will publish the names of our partner institutions, and exactly how pass-through insurance applies, before the first practice onboards — not after.
Compliance commitments
We will complete a SOC 2 Type II examination before general availability, and early-cohort practices will be able to request the report. Cardholder data will be tokenized at PCI-DSS-certified processors so card numbers never touch Clin servers — a design constraint, not an aspiration. Third-party penetration testing will run before launch and at least annually after it.
HIPAA, PHI, and what we deliberately won't store
Clin sits on the financial side of the wall, not the clinical side. Integrations with practice-management systems will read codes, payer responses, and ledger balances — never chart notes, x-rays, or other protected health information. Patient references on payments will be minimized to a first name and last initial. The less we hold, the less there is to protect.
Access controls
Production access will be gated by hardware security keys and short-lived, just-in-time credentials — no standing production access for anyone, including founders. Every production query logged with a justification, with a sampled second-engineer review. These controls go in before the first dollar moves, not after the first incident.
Incident response
For any incident touching customer money or data: initial customer notification within 72 hours of confirmation, a public post-mortem within 14 days, and a remediation plan with named owners. We will run a public status page from day one.
Responsible disclosure — live today
This one is not a future commitment. If you believe you have found a vulnerability in anything Clin operates, email security@joinclin.com with reproduction steps. We read every report, we respond, and we do not pursue legal action against good-faith researchers. A paid bounty program will launch with the product.
Questions, or want to pressure-test any of the above before trusting us with a dollar? Email security@joinclin.com. Real humans, fast replies.