Security
How ClaveLog protects your records
You are trusting ClaveLog with your practice's legal defense. Here is exactly how that data is protected — written plainly enough to forward to whoever signs off on your software.
No patient data. By design.
The most secure data is the data you never hold. ClaveLog records sterilizers, loads, and spore tests — not patients. No names, charts, appointments, or treatment information ever enter the system. There is no field for it.
Because no protected health information (PHI) touches ClaveLog, the product stays out of HIPAA scope entirely — ClaveLog is neither a covered entity nor a business associate. That removes the single highest-stakes category of risk from the picture, for you and for us.
Encrypted in transit and at rest
Every connection to ClaveLog uses TLS. Your records are stored in managed PostgreSQL with encryption at rest. Data is protected both while moving and while stored.
Each practice's data is isolated
Row-level security (RLS) enforces, at the database layer, that one practice can only ever read or write its own records. It is not just application logic you have to trust — the isolation is enforced by the database itself.
Append-only, tamper-evident records
Compliance records are never silently deleted or overwritten. A correction or void keeps the original entry plus the reason and the person who made the change. Every change is captured by a database audit trigger. That's what makes the record defensible in an inspection.
Built on SOC 2 infrastructure
ClaveLog runs on Vercel (hosting) and Supabase (database and authentication) — established providers that maintain SOC 2 compliance for their platforms. We build on hardened, audited infrastructure rather than rolling our own.
Least-privilege access
Access to production systems is limited to what is strictly necessary. Staff who log loads on a shared device never get an account or dashboard access — they can only add records via a device-scoped token, nothing else.
What we claim — and what we don't
We would rather be trusted than impressive. So, plainly: ClaveLog is an early-stage product. We have not completed an independent SOC 2 audit of ClaveLog itself, and we do not claim certifications we do not hold. What we do claim are verifiable facts about how the product is built:
- PHI is architecturally excluded — there is nowhere to put it.
- Compliance records are append-only with a database-level audit trail.
- Each practice's data is isolated by row-level security.
- Data is encrypted in transit and at rest on SOC 2-compliant infrastructure (Vercel, Supabase).
As we grow, our security program grows with us. If your practice has a specific security requirement, tell us — we would rather have the conversation than oversell.
Responsible disclosure
Found a security issue? We want to hear about it. Email security@clavelog.com with the details and steps to reproduce. Please give us a reasonable window to fix the issue before disclosing it publicly. We will acknowledge your report and keep you posted on the fix.
For what we collect and how we handle it, see our Privacy Policy.
Compliance records you can defend.
Append-only, tamper-evident, and inspector-ready — without ever touching patient data.
Start 14-day free trial