Clinexa
Security & Compliance

Enterprise Security. Zero Compromise.

Purpose-built for healthcare's most demanding compliance environments — from single-province Canadian clinics to global clinical research organizations operating under GDPR, HIPAA, and PIPEDA simultaneously.

Supported Compliance Frameworks

We support the full spectrum of North American and international healthcare data regulations, designed for organizations operating across multiple jurisdictions.

HIPAA

United States

Supported

Full Health Insurance Portability and Accountability Act compliance. PHI protected with end-to-end encryption, audit logging, and access controls. BAA available.

  • Business Associate Agreement (BAA) available on request
  • PHI encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access control with comprehensive audit trails
  • Regular security assessments and penetration testing

PIPEDA

Canada — Federal

Supported

Personal Information Protection and Electronic Documents Act. Data hosted in Canadian Azure regions. Cross-border transfer controls. Privacy breach notification procedures.

  • Canadian Azure data residency (Canada Central / Canada East)
  • Consent management with full audit trail
  • Privacy breach detection and notification procedures
  • Individual access request handling procedures

PHIPA

Ontario, Canada

Supported

Personal Health Information Protection Act (Ontario). Specific controls for Ontario-based health information custodians and agents.

  • Health information custodian compliance support
  • Lockbox and consent management features
  • Ontario privacy officer notification procedures
  • PHIPA-aligned audit logging and access controls

GDPR

European Union

Supported

General Data Protection Regulation. Data Processing Agreements available. Lawful basis documentation. Right to erasure and data portability support.

  • Data Processing Agreement (DPA) available on request
  • Lawful basis documentation for processing activities
  • Right to erasure and data portability workflows
  • Cross-border transfer controls (SCCs available)

Deployment Models

Choose the deployment that fits your organization's IT policy, data sovereignty requirements, and security posture.

Multi-Tenant Cloud

Managed Azure Infrastructure

  • Hosted on Microsoft Azure (Canadian or US region)
  • 99.9% uptime SLA with proactive monitoring
  • Automatic security patches and compliance updates
  • Shared infrastructure with strict tenant isolation

White-Label

Your Brand, Our Infrastructure

  • Custom domain and organizational branding
  • Appears as an internal portal to patients and staff
  • Still hosted on managed Azure infrastructure
  • Branded documentation and patient communications

Self-Hosted Enterprise

Your Azure Subscription

  • Full source code access with enterprise license
  • Deployed on customer's own Azure/AWS subscription
  • ARM deployment templates and IaC scripts provided
  • Quarterly security patches + 6-month feature updates
  • Supports air-gapped and zero-trust IT environments

Technical Security Controls

A comprehensive set of technical controls designed to meet enterprise and government security requirements.

AES-256 Encryption at Rest

All stored data encrypted using industry-standard AES-256 encryption

TLS 1.3 in Transit

All data transmissions encrypted with modern TLS protocols

Role-Based Access Control

Granular permissions: patients, nurses, PAs, physicians, admins, coordinators

Comprehensive Audit Logs

Every action logged with user identity, timestamp, IP, and action type

Multi-Factor Authentication

Enforced MFA for all administrative and clinical user accounts

Penetration Testing

Regular third-party penetration testing on a scheduled cadence

Vulnerability Management

Continuous scanning with critical patches applied within 24 hours

Data Residency Controls

Canadian Azure regions available; no cross-border transfer without consent

Tenant Isolation

Complete data isolation between organizations — no cross-tenant data access

Zero-Trust Architecture

Self-hosted option for air-gapped networks with no external dependencies

Key Vault Integration

Secrets managed via Azure Key Vault with customer-controlled access

Backup & Recovery

Automated backups with tested restoration procedures and RPO/RTO SLAs

Legal Agreements Available

Business Associate Agreement (BAA)

HIPAA-required agreement covering our responsibilities as a business associate handling PHI on your behalf.

Data Processing Agreement (DPA)

GDPR and PIPEDA-aligned agreement defining processing activities, purposes, and data subject rights.

Vendor Risk Assessment Package

Complete documentation package for enterprise procurement: security questionnaire responses, compliance certifications, and architecture diagrams.

Service Level Agreement (SLA)

Formal SLA including uptime guarantees (99.9%), response time commitments, and escalation procedures.

All agreements are available upon request to qualified organizations. Contact us during or after your demo to initiate the legal review process.

Questions about compliance for your organization?

Our implementation team will work through your specific compliance requirements on the demo call.

Book a Compliance Discussion →