Security Overview

Last updated: April 1, 2026

Security is foundational to everything we build at Clique. Our platform orchestrates sensitive hospital compute workloads, and we treat every layer of the stack as a security boundary. This page outlines our approach to protecting your data and infrastructure.

SOC 2 Type II HIPAA Compliant HITRUST CSF Confidential Computing

Encryption

In transit: All data transmitted between your systems and Clique is encrypted using TLS 1.3. We enforce HSTS and certificate pinning for API connections. Internal service-to-service communication is encrypted via mutual TLS (mTLS).

At rest: All stored data is encrypted using AES-256-GCM. Encryption keys are managed through a dedicated key management service with automatic rotation. Customer-managed encryption keys (CMEK) are available for enterprise deployments.

Confidential Computing & TEEs

Clique leverages Trusted Execution Environments (TEEs) to protect data in use -- the third pillar of data protection alongside encryption at rest and in transit. Workloads containing PHI can be executed within hardware-attested secure enclaves, ensuring that data remains encrypted even during processing. Not even Clique operators can access data inside a TEE.

Hardware-based attestation verifies enclave integrity before workload execution
Memory encryption prevents physical and hypervisor-level attacks
Sealed storage ensures data is bound to verified enclave configurations
Audit logs capture attestation evidence for compliance reporting

SOC 2 Type II

Clique has completed SOC 2 Type II certification, independently audited by a third-party firm. Our audit covers the Trust Service Criteria for Security, Availability, and Confidentiality. We undergo continuous monitoring and annual re-certification. A copy of our SOC 2 report is available upon request under NDA.

Access Controls

Role-based access control (RBAC): Granular permissions ensure users only access resources required for their role
Single sign-on (SSO): SAML 2.0 and OIDC integration with your identity provider
Multi-factor authentication (MFA): Enforced for all accounts, with support for hardware security keys
Least privilege: Internal employee access is scoped to minimum necessary permissions and requires justification
Audit logging: All access events are logged immutably and retained for a minimum of one year

Infrastructure Security

Production environments are isolated in dedicated VPCs with strict network segmentation
All infrastructure is managed as code with automated configuration drift detection
Container images are scanned for vulnerabilities before deployment
Host-based intrusion detection runs across all production systems

Incident Response

We maintain a documented incident response plan that is tested regularly through tabletop exercises and simulations. Our response process includes:

24/7 on-call security engineering coverage
Automated alerting for anomalous activity
Defined severity classification and escalation procedures
Customer notification within 24 hours for incidents affecting their data
HIPAA breach notification within the timeframes required by 45 CFR 164.410
Post-incident review and published root cause analysis

Penetration Testing

We engage independent third-party security firms to conduct penetration tests at least annually. Testing covers our application layer, APIs, infrastructure, and cloud configurations. Critical and high-severity findings are remediated within defined SLAs. Penetration test summary reports are available to customers under NDA.

Vendor Security

All third-party vendors with access to customer data undergo security review before onboarding and are subject to annual re-assessment. Vendors processing PHI are required to execute Business Associate Agreements and demonstrate HIPAA compliance.

Questions?

To request our SOC 2 report, discuss security requirements, or report a vulnerability, contact us at security@cliquehealth.com.