Trust foundation
Security
Last updated July 1, 2026
Security is foundational to Clover because provider launch work involves sensitive documents, identifiers, payer readiness information, and operational history. Clover is being built to keep that work organized without making it careless.
Encryption
Clover is designed to protect data in transit using modern TLS and to encrypt stored data using managed cloud encryption controls.
Encryption is one layer of protection. Clover also relies on access controls, environment separation, secure development practices, and monitoring to reduce risk.
Secure infrastructure
Clover is planned around managed infrastructure with hardened defaults, production environment separation, restricted administrative access, secure configuration practices, and routine dependency and security updates.
Infrastructure access should be limited to the people and systems that need it to operate, support, and protect Clover.
Authentication
Clover is expected to require secure authentication for users and to support session controls appropriate for healthcare operations.
Access should be role-aware so practice administrators, office managers, credentialing teams, and invited providers only see the areas needed for their work.
Data isolation
Practice data should be logically separated so one practice cannot access another practice's providers, documents, readiness history, payer notes, or account information.
Provider launch data belongs to the customer practice and should be handled within that practice's workspace and permissions.
Audit logging
Clover is being designed to record important product activity such as document uploads, provider requests, readiness changes, account access, administrative actions, and key updates to Provider Workspaces.
Audit history helps practices understand what happened during a provider launch and supports investigation if something looks wrong.
Secure document storage
Uploaded documents are expected to be stored in access-controlled storage with encryption, limited permissions, and traceable document activity.
Clover should avoid unnecessary duplication of sensitive documents and should keep documents associated with the Provider Workspace where they belong.
Vendor review
Clover may use trusted service providers for hosting, storage, email, analytics, support, security, and operations. Vendors should be selected with security, reliability, and data handling expectations in mind.
As Clover grows, vendor review and documentation should become part of the formal security program.
Security reporting
If you believe you have found a security issue, contact Clover through the Contact page with a clear description, affected page or feature, reproduction steps, and any relevant screenshots or logs.
Please do not access, download, modify, or share data that does not belong to you while investigating a potential issue.
Future SOC 2
Clover is not currently claiming SOC 2 certification. The product and operating practices are being designed with future SOC 2 readiness in mind, including access control, auditability, vendor management, change management, incident response, and risk review.
Future HITRUST
Clover is not currently claiming HITRUST certification. HITRUST may become part of the future compliance roadmap as Clover grows and customer needs require a more formal healthcare security assurance program.