Security

Last updated: May 21, 2026

At The Digital Clinic, we take the security of your data seriously. This page describes the measures we have in place to protect your information.

Infrastructure

Where Your Data Lives

Our primary infrastructure is hosted in the European Union (Germany). We use trusted cloud providers with strong security track records:

  • Application hosting — Render (EU)
  • File storage — Amazon Web Services S3 (Germany)
  • Database — Encrypted and backed up regularly

Encryption

  • In transit — All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
  • At rest — All personal data is encrypted in our databases using application-level encryption
  • Backups — Database backups are encrypted

Authentication & Access

For Users

  • Strong passwords — Minimum 8 characters, checked against known breach databases
  • Two-factor authentication (2FA) — TOTP support for authenticator apps (Google Authenticator, Microsoft Authenticator, etc.)
  • Recovery codes — Backup codes in case you lose access to your 2FA device
  • Session management — Sessions expire after inactivity and can be revoked

Account Protection

  • Rate limiting — Protection against brute-force login attempts
  • Account lockout — Automatic lockout after multiple failed login attempts
  • Session security — Secure, httponly cookies with session fixation protection

For Administrators

  • Role-based access control — Users can only access what they need
  • MFA visibility — Admins can see which team members have enabled 2FA

Application Security

Secure Development

  • Security reviews — Regular code reviews with security focus
  • Static analysis — Automated scanning for common vulnerabilities
  • Dependency monitoring — Automated alerts for vulnerable dependencies
  • OWASP Top 10 — We design and test against common web vulnerabilities

Web Security

  • Content Security Policy (CSP) — Protection against XSS attacks
  • CSRF protection — All forms protected against cross-site request forgery
  • Input validation — Strict validation and sanitization of all user input
  • SQL injection prevention — Parameterized queries throughout

AI Security

The Digital Clinic uses AI models hosted by external providers (see our Sub-processors page). We host no models ourselves. The following technical controls apply to AI processing:

No Outbound Tools

Agents running on customer content have no ability to browse the web, call arbitrary URLs, or exfiltrate data outside our backend. The internal tool registry exposes only three operations: creating documents, managing agent definitions, and searching our own knowledge base. There is no HTTP-fetch or code-execution tool.

System / User Role Separation

Prompts are built server-side. User content is passed through the provider's message-role API (as user/tool messages), not concatenated into system instructions. This limits the effect of prompt-injection attempts that try to override our instructions with content pasted into a case.

Scoped Context

Each AI call includes only the data from the medical case being processed, filtered through the same authorization model used throughout the application. Cross-case or cross-tenant context leakage is prevented at the query layer.

Code-Enforced Provider Allowlist

Each organization's configured AI providers (Mistral, OpenAI, Anthropic) are enforced in code before any AI request leaves the application. The same gate refuses rolling -latest model aliases for organizations that require pinned, deployment-controlled model versions. Denials are logged and surface as errors — never silent bypasses.

Graceful OCR Fallback

When an organization's allowlist excludes Mistral (our OCR provider), document OCR falls back to local text extraction inside our own application. No document bytes are sent to any external provider in this case.

Platform-Level Providers (Not Gated)

Two AI features use a fixed provider that the per-organization allowlist does not control: audio transcription (Gladia, EU/France) and knowledge-base search (OpenAI embeddings, US). Both are platform-level sub-processors documented on our Sub-processors page. Transcription's audio pipeline and the embedding column schema are baked into the architecture; swapping providers per customer would require a platform migration rather than a configuration change. Organizations that cannot use these specific providers have the corresponding features disabled at onboarding rather than silently routed elsewhere.

Provider Non-Training Contracts

We transmit customer data only to AI providers whose DPAs contractually commit to not training models on our API traffic.

Usage Logging

We track AI usage per operation (provider, model, token counts, timestamp) for audit and cost attribution. The submitted content and returned response are not written to logs.

EU-Only Processing

Organizations requiring EU-only AI processing can restrict the customer-selectable allowlist to Mistral AI (France). Combined with our platform-level transcription provider Gladia (also France), this keeps all customer-content AI processing within the EU — except knowledge-base search, which uses OpenAI embeddings in the US and can be disabled at onboarding. The allowlist restriction is a per-organization configuration option, enforced by the code-level gate described above.

Browser Extension Security

Our optional Chrome extension follows Chrome's Manifest V3 security model and Digital Clinic's own access controls:

  • No remotely hosted code in extension contexts. All JavaScript, HTML, and CSS that run in the extension's own execution contexts (background service worker, content scripts, top-level side-panel page) are bundled in the uploaded package. No eval, no remote <script src>, no remote WebAssembly, no dynamic import() of remote modules. The side-panel UI itself is rendered inside an <iframe> loaded from digitalclinic.vet — that iframe is first-party web content in the digitalclinic.vet origin, with no access to extension APIs, and is governed by the standard web security policies described in this document.
  • Scoped host permissions. Content scripts are declared only for our backend (digitalclinic.vet and account subdomains) and the specific Practice Management System (PMS) hosts the extension integrates with. The side panel can be opened on any tab so the extension also works as a generic voice-dictation surface, but no page content is read outside the configured PMS hosts.
  • Existing session cookie. The extension stores no credentials of its own — it authenticates via your existing Digital Clinic browser session. Sign out of the web app and the extension stops working.
  • Content-script isolation. Scripts injected into PMS pages run in Chrome's standard isolated world; the PMS page cannot interfere with extension code.
  • TLS only. All traffic between the extension and our backend is encrypted in transit.
  • Entitlement-gated. Only users with the Chrome extension entitlement enabled on their account can use the extension. Users without the entitlement see a feature not available message after install.
  • Unlisted distribution. The extension is published as Unlisted in the Chrome Web Store — it is not discoverable via search and is installed only via a link distributed from inside the Digital Clinic app.

Data Protection

Access Controls

  • Role-based permissions — Veterinarians, specialists, nurses, and pet owners each have appropriate access levels
  • Case-based access — Medical case data is only visible to authorized participants
  • Authentication event logging — User authentication events (sign-in, password change, email verification, 2FA enrolment) are recorded per user in a queryable audit table. Administrative actions by Clean Wake staff are recorded in application logs.

Third-Party Services

We carefully vet all third-party services and require data processing agreements. See our Sub-processors page for the current list. Key points:

  • Most infrastructure is in the EU
  • US-based services have Standard Contractual Clauses in place
  • We minimize data shared with third parties

Compliance

GDPR

We comply with the General Data Protection Regulation (GDPR):

  • Data minimization — we only collect what we need
  • Encryption of personal data at rest and in transit
  • Role-based access controls
  • Data subject rights — access, correction, deletion, portability
  • Data Processing Agreements with all processors

Data Retention

We retain data only as long as necessary. See our Privacy Policy for specific retention periods.

Incident Response

If Something Goes Wrong

We have procedures in place for security incidents:

  • Immediate investigation and containment
  • Notification to affected users as required by law
  • Root cause analysis and remediation
  • Post-incident review to prevent recurrence

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

Email: team@digitalclinic.vet

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact

We appreciate responsible disclosure and will acknowledge your report promptly. Please don't publicly disclose vulnerabilities until we've had a chance to address them.

Questions?

If you have questions about our security practices:

Clean Wake AB • Sprängarvägen 27 • 184 70 Åkersberga • Sweden • Email: team@digitalclinic.vet

Privacy Contact • Hannes Schippmann • Email: privacy@digitalclinic.vet

Back to home