Home /Security
Security

Security by architecture.

Security is not a feature in ClinexaOS — it is a foundational constraint that shapes every architectural decision from the ground up.

Security Architecture

ClinexaOS is architected around the principle of least privilege and zero-trust networking. Every component assumes breach of adjacent components and enforces authentication and authorisation independently.

🔐

Encryption at Rest

AES-256 encryption for all stored data. Keys managed via HSM with automatic rotation on a 90-day cycle.

🔒

Encryption in Transit

TLS 1.3 enforced for all API and web traffic. Certificate pinning applied to all mobile and native clients.

👤

Access Control

Role-based access control (RBAC) at every API endpoint. Attribute-based access control (ABAC) for clinical data operations.

📋

Audit Logging

Immutable, append-only audit logs for every data access, API call, and administrative action. Tamper-evident using cryptographic chaining.

🔍

Vulnerability Management

Continuous automated scanning with manual penetration testing by certified third parties conducted annually and after major releases.

🌐

Network Isolation

All clinical workloads run in isolated VPCs. No inbound public internet access to data-processing nodes. Egress filtered and monitored.

Certifications & Audits

  • ISO 27001:2022 — Information Security Management System certified. Annual surveillance audits conducted by accredited third-party certification body.
  • SOC 2 Type II — Annual report covering Security, Availability, and Confidentiality trust service criteria. Reports available to enterprise customers under NDA.
  • CE Mark (EU MDR) — AI-assisted radiology reporting module certified under EU Medical Device Regulation 2017/745.
  • Penetration Testing — Annual independent penetration test by CREST-certified security firm. Most recent test: Q1 2025. No critical findings.

Responsible Disclosure

We welcome security researchers who identify vulnerabilities in our platform. Please report findings to info@clinexaos.com using our PGP key (available on request). We commit to:

  • Acknowledging receipt within 24 hours
  • Providing an initial assessment within 5 business days
  • Keeping you informed of remediation progress
  • Recognising your contribution in our security hall of fame (with your permission)

Scope: api.clinexaos.com, app.clinexaos.com. Out of scope: physical security, social engineering, denial of service attacks, and third-party services.

Security Contacts
🚨

info@clinexaos.com

Security

info@clinexaos.com

Incident & vulnerability reportsamp; vulnerability reports
🔏

info@clinexaos.com

Data Protection enquiries
📋

SOC 2 Type II reports available to enterprise customers on request under NDA.

Related Policies
🔒

Privacy Policy

Compliance Framework

🔄

Data Processing Agreement