HIPAA Notice

Klinoa is designed from the database layer up to handle PHI in compliance with the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and HITECH Act requirements applicable to Business Associates. PHI is encrypted at rest and in transit, isolated per-tenant via Postgres row-level security, and access is logged in an append-only audit trail.

When a clinic uses Klinoa to store, process, or transmit PHI, the clinic is the Covered Entity and Klinoa is its Business Associate. Once an executed Business Associate Agreement (“BAA”) is in place, Klinoa will use, disclose, and safeguard PHI only as permitted by the BAA, this notice, and applicable law.

Marketing pages, billing data, and unrelated business records are not PHI. The Privacy Policy applies to that information.

• Designated Security Officer and Privacy Officer (contactable via the address below).
• Documented information security policies reviewed at least annually.
• Workforce access provisioned on least-privilege principles and revoked promptly on role change or departure.
• Mandatory HIPAA awareness and security training for all personnel with access to PHI.
• Annual risk analysis and risk management plan, with corrective actions tracked to closure.
• Incident response plan with defined escalation, containment, and notification procedures.
• Business continuity and disaster recovery plan tested annually.
• Vendor due diligence and BAAs in place with all subprocessors that may access PHI.

Klinoa is a fully cloud-hosted service; we do not operate physical data centers. Our subprocessors' data centers maintain SOC 2 Type II, ISO 27001, and/or HITRUST certifications, with controls including 24/7 monitoring, biometric access, video surveillance, and environmental protections.

Workforce devices used to access production systems must be encrypted, password-locked, enrolled in mobile device management, and use multi-factor authentication.

• Encryption at rest: AES-256 on all database storage and backups (Supabase / AWS-managed keys).
• Encryption in transit: TLS 1.2 or higher for all client-server and server-server traffic, enforced via HSTS.
• Tenant isolation: Postgres row-level security (RLS) policies keyed off a JWT custom claim (tenant_id), enforced server-side. A user's queries can only return rows for their tenant.
• Authentication: Supabase Auth with bcrypt-hashed passwords, optional MFA, and refresh-token rotation. Single sign-on (SAML/OIDC) available on Group plans.
• Audit logging: append-only audit log captures every PHI read and write, with actor, timestamp, IP address, and resource identifier. Logs retained for six (6) years.
• Backups: automated daily encrypted backups to AWS S3, with point-in-time recovery for the last seven days. Backups transitioned to Glacier after twelve months.
• Vulnerability management: automated dependency scanning, monthly review of advisories, and quarterly penetration testing scope reviewed annually.
• Network security: WAF and DDoS protection at the edge (Cloudflare), rate limiting on authentication endpoints, no public access to the database.

If we discover a breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery, in accordance with 45 CFR § 164.410. Our notification will include, to the extent known: a description of what happened, the types of PHI involved, the steps affected individuals should take, and what we are doing to investigate and mitigate.

To report a suspected breach involving Klinoa, email support@setucare.com with the subject line Security Incident. We monitor this address continuously.

A Business Associate Agreement consistent with 45 CFR Parts 160 and 164 is available to all paid customers handling PHI, at no additional cost. To execute a BAA:

1. Email support@setucare.com with the legal name of your clinic and signing authority.
2. We will return our standard BAA within one business day for electronic signature.
3. The BAA takes effect upon mutual signature and is incorporated into your subscription.

Customers requiring custom BAA language should contact us; we will accommodate reasonable amendments where consistent with our security controls.

The following subprocessors may process PHI in the course of providing the Service. All have signed BAAs with Klinoa.

Subprocessors that do not receive PHI: Vercel (application hosting, static assets only), Cloudflare (edge DNS/WAF), Stripe (billing), Brevo (transactional email to clinic users), Plausible (privacy-friendly analytics).

We will notify customers of new PHI-processing subprocessors at least thirty (30) days before they take effect, providing an opportunity to object.

We conduct an annual risk analysis covering all systems and processes that touch PHI, aligned with the NIST Cybersecurity Framework and HHS guidance. Findings are tracked to closure in a documented risk register. Penetration tests are performed annually by an independent firm; high-severity findings are remediated within thirty (30) days.

Customers on the Group plan may request a security questionnaire response (SIG Lite, CAIQ) and, under NDA, a summary of our most recent penetration test.

HIPAA compliance is a shared responsibility. Customers are responsible for:

• executing a BAA with Klinoa before storing PHI on the Service;
• configuring user access in accordance with least-privilege principles;
• enabling multi-factor authentication for all clinic users;
• training staff on appropriate use of the Service;
• maintaining a Notice of Privacy Practices for patients;
• obtaining patient authorizations where required;
• promptly reporting suspected security incidents to Klinoa.

Patients of clinics that use Klinoa retain all rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of their PHI. Patient requests should be directed to the clinic that holds the record. Klinoa will assist the clinic in fulfilling these requests within the timelines required by 45 CFR § 164.524 et seq.

We may update this HIPAA Notice from time to time to reflect changes in our practices, subprocessors, or applicable law. The effective date at the top of this page reflects the most recent revision. Material changes will be communicated by email at least thirty (30) days before they take effect.

SetuCare LLC dba Klinoa — HIPAA Privacy & Security Office
Austin, Texas, USA
support@setucare.com

To request a Business Associate Agreement, report a suspected breach, or request a security questionnaire, use the address above. We monitor this inbox continuously and will respond to urgent security matters within one business day.