Skip to main content
Trust Center

Security

How ClinixQM protects your data and maintains the security controls expected by regulated organizations.

Infrastructure & Hosting

ClinixQM is hosted on Microsoft Azure, leveraging enterprise-grade infrastructure with built-in security controls. Our architecture is designed for reliability, scalability, and security.

  • Azure Static Web Apps for frontend hosting with global CDN distribution
  • Azure Functions for serverless API compute with automatic scaling
  • Azure Cosmos DB for document storage with automatic geo-replication capabilities
  • Azure Blob Storage for file attachments with soft-delete protection

Data Encryption

All customer data is encrypted both at rest and in transit using industry-standard encryption protocols.

  • Encryption at rest: Azure-managed encryption keys (AES-256) for all data stores
  • Encryption in transit: TLS 1.2 or higher enforced for all connections
  • HTTPS only: All HTTP requests redirected to HTTPS

Tenant Isolation

ClinixQM is a multi-tenant application where each organization's data is logically isolated from other tenants. This isolation is enforced at multiple layers.

  • Database partitioning: Each organization's data is stored in separate partitions with orgId-based access controls
  • Server-side validation: Organization context is determined from authenticated user tokens, never from client input
  • Storage isolation: File attachments are stored in organization-specific containers

Access Controls

ClinixQM implements role-based access control (RBAC) with granular permissions to ensure users only access data appropriate to their role.

  • Role-based permissions: Owner, Admin, User, and Viewer roles with configurable permissions
  • Enterprise SSO: OIDC/SAML integration with domain allowlist controls (Scale plan)
  • Session management: Configurable session timeouts with cross-tab synchronization
  • Password policies: Minimum complexity requirements enforced at signup

Audit Logging

Comprehensive audit logging captures user actions and system events to support compliance requirements and security investigations.

  • Login/logout events with IP addresses
  • Document creates, updates, and deletes
  • Approval actions and workflow state changes
  • User and role management changes
  • Export and download activities

Incident Response

We maintain documented incident response procedures to ensure timely detection, containment, and communication of security incidents.

  • Documented incident classification and escalation procedures
  • Customer notification within 72 hours for incidents affecting their data
  • Post-incident review and remediation tracking

Application Security

Security is built into our development process with secure coding practices and regular security testing.

  • Content Security Policy (CSP) headers to prevent XSS attacks
  • Input validation and parameterized queries to prevent injection
  • Security headers (X-Frame-Options, X-Content-Type-Options, HSTS)
  • Dependency scanning and updates for known vulnerabilities

Need more details? Enterprise customers can request additional security documentation including completed security questionnaires (SIG, CAIQ) and architecture diagrams. Contact us to request documentation.