Security & Compliance

ClearConsent is built for environments where protected health information and clinical decisions are involved. Learn about our security architecture, audit logging, and HIPAA alignment.

Security & Compliance

Built for environments where PHI and clinical decisions matter

ClearConsent's architecture and operating model are designed against HIPAA technical safeguards and industry expectations for healthcare systems. This page summarizes our security and compliance posture for security, risk, and IT teams.

Security and compliance
Data Protection

Encryption, access control, and isolation by design

Encryption

PHI is stored in an encrypted relational database and object storage, with encryption in transit enforced via TLS.

Access controls

Role-based access control is designed around clear roles — patients, providers, administrators, super administrators — with multi-factor authentication and session management.

Segregation of environments

Production-grade deployments are designed to run in dedicated cloud environments with VPC isolation, load-balanced APIs, and hardened storage.

Data protection architecture
ClearConsent security architecture diagram
Infrastructure design

Security built into every layer, not bolted on

ClearConsent's production architecture is designed for isolation, redundancy, and defence in depth. Each layer — from the user session to the stored consent record — has independent security controls.

L1 — Edge
Edge layer — TLS enforcement, security headers (CSP, X-Frame-Options, HSTS), rate limiting.
L2 — Application
Application layer — Role-based access control, MFA, session management, input validation.
L3 — Data
Data layer — Encryption at rest, VPC isolation, encrypted object storage for consent PDFs.
L4 — Audit
Audit layer — Hash-chained event log; every state change is recorded and tamper-detectable.
Audit & Logging

A tamper-evident trail of every consent event

Hash-chained audit log

Consent-related events are written to an audit log with a hash chain, making it easy to detect tampering and reconstruct event sequences.

Comprehensive coverage

All state-changing operations related to consent and PHI access emit audit events. Mutation paths block on audit failures — no silent omissions.

Exportable, verifiable history

Audit logs and consent records can be exported for internal investigations, external audits, or medico-legal review.

Audit and logging
HIPAA Alignment

Formal gap assessment, active closure roadmap

ClearConsent has undergone a formal HIPAA gap assessment with Drummond Group, identifying 53 gaps across technical safeguards, BAAs, and policy documentation.

Critical technical gap closure

Critical technical gaps

Closing critical gaps around audit completeness, MFA enforcement, webhook security, and security headers — with active engineering work in progress.

HIPAA policy implementation

Policy implementation

Implementing and enforcing a full suite of HIPAA policies including security management, incident response, access control, and transmission security.

BAA verification with third-party providers

BAA verification

Verifying BAAs and security expectations with third-party providers such as Vercel, messaging providers, and telehealth partners.

Drummond Group HIPAA certification

Drummond Group certification

Working toward formal certification with Drummond Group. A detailed HIPAA roadmap and policy inventory is available upon request for qualified organizations.

ClearConsent HIPAA compliance roadmap and journey
Compliance transparency

We show you exactly where we stand — and where we are going

Most platforms claim compliance without evidence. ClearConsent has completed a formal third-party HIPAA gap assessment and publishes a prioritised roadmap of what is open, what is in progress, and what is closed.

Completed

Encryption at rest & in transit, RBAC, hash-chained audit log, formal gap assessment with Drummond Group.

In progress

MFA enforcement, webhook security hardening, complete security header suite, audit completeness coverage.

Roadmap

Full HIPAA policy suite, BAA verification with all vendors, Drummond Group certification, SOC 2 planning.

Third-Party Services

Carefully selected vendors, BAAs executed

ClearConsent uses carefully selected third-party services for infrastructure, AI, and interoperability. Each vendor relationship is evaluated against HIPAA requirements, and BAAs are executed where necessary.

Cloud infrastructure and database services
AI services for transcription and comprehension
Email and messaging providers
Health Gorilla for FHIR-based lab and clinical data exchange
Responsible AI Use

AI in a clerical role, not a clinical one

ClearConsent uses AI in an assistive capacity only — never to make autonomous clinical decisions.

01
AI is used to transcribe patient speech, analyze comprehension, and support teach-back.
02
AI-generated outputs are surfaced to clinicians for review. They do not enter signed clinical records without human acceptance.
03
All AI interactions are logged, and model access goes through a structured gateway so behavior can be monitored and governed over time.
FAQ

Security & compliance questions

ClearConsent has completed a formal HIPAA gap assessment with Drummond Group and is actively working through a prioritised closure roadmap. The platform is engineered with strong technical safeguards — encrypted storage, TLS in transit, role-based access control, MFA, and a hash-chained audit log. We are transparent about the gaps that remain open and the steps being taken to close them. A full roadmap and policy inventory is available upon request for qualified organisations.

PHI is stored in an encrypted relational database and encrypted object storage, with TLS enforced for all data in transit. Production deployments run in dedicated cloud environments with VPC isolation. Access is controlled via role-based permissions — patients, providers, administrators, and super admins each have strictly scoped access.

Each audit event is cryptographically linked to the one before it using a hash chain. This means that if any event is tampered with or deleted, the chain breaks — making tampering detectable. For medico-legal review or regulatory investigation, this provides a verifiable, tamper-evident reconstruction of what happened during the consent process and when.

Access is strictly role-based. Patients can access their own consent records. Providers see records for their assigned patients. Administrators have management access within their organisation scope. Super admins have hospital-level oversight. All access events are logged in the audit trail.

ClearConsent uses AI in a strictly clerical and assistive role — never to make autonomous clinical decisions. AI is used to transcribe patient speech and analyse comprehension during the consent flow. All AI-generated outputs are reviewed by a clinician before any action is taken. AI model access goes through a structured gateway so that behaviour can be monitored and governed. PHI shared with AI services is handled under BAAs with those providers.

ClearConsent uses carefully selected vendors for cloud infrastructure, AI services, email and messaging, and interoperability (including Health Gorilla for FHIR-based data exchange). Each vendor relationship is evaluated against HIPAA requirements, and BAAs are executed wherever PHI may be involved. Specific vendor details are available to qualified organisations under NDA.

ClearConsent maintains a documented incident response policy as part of its HIPAA compliance roadmap. The policy covers detection, containment, notification obligations (including the HIPAA Breach Notification Rule), and post-incident review. Details of the incident response plan are available upon request.

ClearConsent is currently working toward formal certification with Drummond Group. SOC 2 is on the roadmap. In the meantime, we can provide our HIPAA gap assessment summary, policy inventory, and technical safeguards documentation to qualified organisations under an NDA. Contact our team to request these materials.

Need detailed compliance documentation?

Our HIPAA roadmap and policy inventory are available upon request for qualified organizations.

Talk to our team