Security

Practitioners trust Cliniko with the safe-keeping of millions of confidential client records every day. Security isn’t just fine-print for us: it’s a central feature and shapes every decision we make.

Security person with earphone surrounded by eyes

Securing your data

You own your data

We are the custodians of your data, but you remain the owner. Every step has been taken to help you manage your information securely and confidentially. And, if the time ever comes for us to say goodbye, your data will be held for a minimum of 90 days after cancellation.

If you need to cancel your account due to the COVID-19 pandemic, please select it as the reason for your cancellation, and we’ll hold onto your data for a minimum of 12 months. That way, if you decide to start back up again, all your information will still be here exactly the way you left it.

If ever you’d like to transfer your info outside of Cliniko for any reason, you can take it anywhere you want using Cliniko’s data export feature.

Ultra-secure facilities

Cliniko is hosted in state-of-the-art datacenter facilities. Physical access is controlled at the perimeter and building entry points by professional security staff using video surveillance, intrusion detection systems, and other electronic means.

High availability

We use datacenter facilities that are built in clusters. In case of failure, automated processes move customer data traffic away from the affected area and into other sites that are functioning properly. It all occurs behind the scenes, and you won’t even notice when it’s happening.

Encryption

Whenever your data is sent between us, it’s encrypted using HTTPS (end-to-end encryption). We use a 2048-bit SSL certification for encryption in transit. All data is also encrypted at rest and backed up daily, using the industry-standard AES-256 encryption algorithm.

If that sounds like a bunch of jargon nonsense to you, here’s what it means: all data shared between you and Cliniko is transmitted and stored securely. No one can read the information except for you and us. Plus, we refresh your backup every day to make sure it stays current.

Accreditations and Certifications

We choose our partners carefully. Our hosting partner, Amazon Web Services (AWS), has achieved the following accreditations and certifications:

  • PCI DSS Level 1 (Payment Card Industry Data Security Standard)
  • ISO 27001 (Information Security Management System)
  • FIPS 140-2 (United States Federal Information Processing Standard)

24/7/365 Monitoring

Cliniko is monitored 24 hours a day, 7 days a week, 365 days a year. If something goes wrong, we’ll be the first to know about it, and our team will jump into action straight away—no matter when it happens!

Backups

Cliniko data is backed up daily. Backups are redundantly stored in multiple physical locations. Data is also constantly streamed to replica databases for up to the second redundancy.

In other words, we’ve got backups for your backups and a contingency in place to handle any potential interruptions to the storage process. Don’t forget that you can also export your data at any time and create your own backups too.

Data stored close to home

New Cliniko accounts based in Australia will have their data stored in Australia. If you’re opening a new account in the UK, your data will be held in the UK. New Canadian accounts? You guessed it! We’ll keep your data safe and secure in Canada. For accounts based in any other country, we’ll house your data on our Australian servers.

Cliniko meets or exceeds all regulations of the Australian Privacy Principles, GDPR, PIPEDA, and HIPAA.

Light bulb

We offer bug bounties

for new, responsibly disclosed issues. If you’ve found something, please contact us at security@cliniko.com.

Laptop and phone screen with a lock

What can you do to protect your account?

Enable two-factor authentication

Two-factor authentication adds an extra security step when you log in. With Cliniko, this means that accessing your account will require both your password and a code generated on your smartphone.

Understand user security roles

User security roles in Cliniko help you limit access to confidential information to only those who need it.

Create a strong password

Use a unique password for your Cliniko account. Since longer passwords are generally harder for criminals to break, try using a line from your favourite song or a short sentence you’ll easily remember.

Keep your browser updated

An up-to-date browser will ensure that Cliniko is performing at its best and that you have the latest protection against online threats.

Restrict third-party access

Cliniko connected apps often require your API key in order to link with your Cliniko account. Only share your API key with parties you trust, and be sure to read their terms of service and privacy policies.

Want to learn more? Get details on how you can protect your data.

Balance holding a file on one side and a law book on the other

We help with compliance

We provide you with the tools to ensure you are compliant with important privacy legislation, like the Australian Privacy Principles, GDPR, PIPEDA, and HIPAA.

Australian Privacy Principles

To help you manage your obligations under the Australian Privacy Principles, Cliniko provides features to record an individual's consent to your privacy policy or direct marketing. We also ensure that records are destroyed when you no longer require personal information. Plus, if you need to maintain records for retention requirements, Cliniko’s data export feature allows you to hold on to your info for as long as you need.

GDPR

Because Cliniko is processed outside the EU, we have a Data Processing Addendum (DPA) that covers the use of Cliniko and includes additional Standard Contractual Clauses. We’ve also appointed a Data Protection Officer to ensure compliance with GDPR requirements.

For more information on how Cliniko can help you with GDPR compliance, take a look here.

PIPEDA

Cliniko lets you easily obtain and store client consent to collect their information, and we offer transparent disclosure of all processes related to the collection, storage, and use of any personal information in our Privacy Policy.

HIPAA

HIPAA is only a concern for clinics based in the United States. For those who need it, though, Cliniko is fully HIPAA compliant and we have a built-in support option to help you stay compliant as well. If you’d like a Business Associate Agreement (BAA), just send us a request, and we’ll gladly get one set up for you.