Clip is built for ophthalmic surgeons who work with sensitive patient data. This page describes the technical and organisational controls we have in place. We believe in being specific — you should know exactly what is protected and how.
Data encryption
End-to-end encryption for patient identifiers
Patient name and patient ID are encrypted on your device using Curve25519 / XSalsa20-Poly1305 (TweetNaCl) before being transmitted. The server stores only ciphertext — we cannot read these fields.
Encryption in transit
All communication between the Clip app and our servers uses TLS 1.2 or higher — every API call, upload, and authentication request.
Encryption at rest
Database records are encrypted at rest using AES-256. Media files (slit-lamp photos, surgical videos) stored in cloud object storage are encrypted at rest by default.
AI processing — ephemeral only
When you use AI features (OCR, voice transcription, semantic search), data is processed in memory and discarded. Plaintext clinical content is never written to our database during AI processing.
Access controls
Row-level security
Every database query is enforced at the database engine level to return only records belonging to the authenticated user. It is architecturally impossible for one surgeon's query to return another surgeon's data.
Cloud storage IAM
Access to media files is restricted to service accounts used by the application. Developer personal accounts do not have access to production storage.
Access audit logging
Data Read and Data Write audit logs are enabled on our production storage bucket. Every file access — who, when, what — is permanently logged and retained for a minimum of 6 years.
Secure credential storage
On iOS and Android, your private key material is stored in the device's secure enclave (Keychain / Keystore). Credentials are never stored in plain app storage.
Authentication
- Passwords are hashed with bcrypt — never stored or transmitted in plaintext
- Authentication tokens are short-lived JWTs with automatic refresh
- Password reset links are single-use and expire after 1 hour
- Industry-standard OAuth2 / PKCE flows
Infrastructure
- Database with automated backups and point-in-time recovery
- Media processing in ephemeral, isolated containers
- Edge CDN with DDoS protection in front of the web app
- All production deployments require passing automated test suites
What we acknowledge
We believe in transparency about limitations:
- Clinical notes, diagnosis, and voice transcripts are protected by row-level security and encrypted in transit and at rest, but are not end-to-end encrypted client-side. We can read these fields as part of providing AI features.
- Web users rely on browser localStorage for key material, which is less secure than the device Keychain. For maximum security, use the native iOS or Android app once available.
- Multi-device sync of private keys is not yet supported in beta. Encrypted fields are readable only on the device where you enrolled.
Reporting a vulnerability
If you believe you have found a security vulnerability in Clip, email us at mikisu.dev@gmail.com with the subject line "Security vulnerability". We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. Please give us reasonable time to investigate before public disclosure.