Data Processing
What we process,
where it lives, and how to get it back.
A plain-language summary of the data CliniLoom handles for clinics. Used for security reviews, internal compliance, and DPA conversations.
US data residencyBAA-covered subprocessorsRight to delete
Categories of data we process
| Category | Purpose | Examples |
|---|---|---|
| Clinic operational data | Run admin workflows | Patients, providers, appointments, intake fields |
| Patient communication | Triage and follow-up drafting | Inbox messages, attachments, reply drafts |
| Clinical documents | Intake summarization and PA assembly | Faxes, referrals, lab PDFs |
| Visit dictation & notes | Note drafting and review | Audio (transient), transcripts, draft notes |
| AI outputs & audit | Reviewable trail of AI work | Drafts, sources, confidence, reviewer decisions |
| Account & telemetry | Sign-in, support, and product reliability | Auth events, usage events (no PHI) |
Residency & retention
US-region storage
Hosted in US regions of major cloud providers. Custom residency available on Enterprise.
Configurable retention
Default retention windows per data category. Enterprise customers can set custom retention per category.
Exports & deletion
Self-serve export
Clinic admins can export patients, audit logs, AI outputs, and invoices as CSV/JSON.
Right to delete
Per-patient and clinic-wide deletion honored within 30 days. Backups purged on the next rotation.
Subprocessors
CliniLoom uses a small set of subprocessors to operate the service. The list is reviewed regularly, and BAAs are in place where PHI is processed.
| Subprocessor | Purpose |
|---|---|
| Amazon Web Services (AWS) | Application hosting and database storage in US regions |
| SendGrid | Transactional email delivery (BAA-covered) |
| Twilio | SMS and voice delivery (BAA-covered, US/CA only) |
| Document extraction provider | OCR and structured field extraction (BAA-covered) |
| Speech-to-text provider | Visit dictation transcription (BAA-covered) |
| LLM provider | Draft generation for messages, notes, and packets (BAA-covered; customer data not used to train CliniLoom or vendor models without explicit consent) |
What we never do
- Sell clinic or patient data
- Use clinic data to train shared models
- Send analytics or telemetry that contains PHI to third parties
- Retain audio dictation longer than 24 hours after transcription
Need our DPA or subprocessor list?
Request the Data Processing Addendum, BAA, and current subprocessor list.