Skip to content
CliniLoom
Thread live
Data Processing

What we process,
where it lives, and how to get it back.

A plain-language summary of the data CliniLoom handles for clinics. Used for security reviews, internal compliance, and DPA conversations.

US data residencyBAA-covered subprocessorsRight to delete

Categories of data we process

CategoryPurposeExamples
Clinic operational dataRun admin workflowsPatients, providers, appointments, intake fields
Patient communicationTriage and follow-up draftingInbox messages, attachments, reply drafts
Clinical documentsIntake summarization and PA assemblyFaxes, referrals, lab PDFs
Visit dictation & notesNote drafting and reviewAudio (transient), transcripts, draft notes
AI outputs & auditReviewable trail of AI workDrafts, sources, confidence, reviewer decisions
Account & telemetrySign-in, support, and product reliabilityAuth events, usage events (no PHI)

Residency & retention

US-region storage

Hosted in US regions of major cloud providers. Custom residency available on Enterprise.

Configurable retention

Default retention windows per data category. Enterprise customers can set custom retention per category.

Exports & deletion

Self-serve export

Clinic admins can export patients, audit logs, AI outputs, and invoices as CSV/JSON.

Right to delete

Per-patient and clinic-wide deletion honored within 30 days. Backups purged on the next rotation.

Subprocessors

CliniLoom uses a small set of subprocessors to operate the service. The list is reviewed regularly, and BAAs are in place where PHI is processed.

SubprocessorPurpose
Amazon Web Services (AWS)Application hosting and database storage in US regions
SendGridTransactional email delivery (BAA-covered)
TwilioSMS and voice delivery (BAA-covered, US/CA only)
Document extraction providerOCR and structured field extraction (BAA-covered)
Speech-to-text providerVisit dictation transcription (BAA-covered)
LLM providerDraft generation for messages, notes, and packets (BAA-covered; customer data not used to train CliniLoom or vendor models without explicit consent)

What we never do

  • Sell clinic or patient data
  • Use clinic data to train shared models
  • Send analytics or telemetry that contains PHI to third parties
  • Retain audio dictation longer than 24 hours after transcription

Need our DPA or subprocessor list?

Request the Data Processing Addendum, BAA, and current subprocessor list.