ClinicOS runs on cloud infrastructure with data residency choices that support Saudi healthcare requirements. We use a multi-tenant architecture where every clinic's data is logically isolated — no cross-clinic queries are possible, even for our own engineering team without explicit authorization.

All traffic between your browser and our servers is encrypted with TLS 1.3. Sensitive fields (national IDs, payment details) are encrypted at rest in the database with key rotation. Backups are encrypted and stored in a separate region for resilience.

Access is controlled by role-based access control (RBAC). Roles map to specific actions in specific modules within specific clinics. Every action — patient view, prescription, invoice, payment — is recorded in an append-only audit log that even administrators cannot delete.

We do not sell or share clinic or patient data with third parties. We do not use patient data for advertising. We do not store payment card numbers on our servers (PCI scope is minimized through tokenization with payment processors).

If a security incident is detected, we notify affected clinics within 72 hours (PDPL alignment) with a clear summary of what happened, what data was involved, and what we are doing about it.

For security research and responsible disclosure, email security@bit-proclinic.com.