Security-conscious infrastructure for clinic and patient data

Connections to MakeMyClinik use HTTPS so data in transit is encrypted between browsers and our servers. Staff and patient sessions use industry-standard authentication practices appropriate for healthcare-adjacent software.

Every clinic operates in a dedicated workspace on its own subdomain — patients, staff, queue sessions, and consultations are not mixed with another practice’s data.

Database row-level security (RLS) adds an architectural isolation layer so queries stay scoped to the active clinic tenant.

• Separate subdomain per clinic
• No cross-clinic patient browser
• RLS-enforced data scope at the database layer

Fine-grained healthcare roles limit who can view protected health information, manage exports, run deletion reviews, or change clinic settings.

Admin, doctor, and front desk logins see job-appropriate screens. When someone leaves, revoke their login without resetting everyone’s password.

Consultation timelines are designed for clinical continuity and accountability — visit history remains traceable for doctors and auditors without silent rewrites of past care.

Sensitive PHI access and important privacy actions generate audit events so clinics can investigate who accessed what and when.

Live token links show queue position — not internal clinical notes. The optional patient portal exposes only what the clinic relationship allows: bookings, selected history, and privacy controls.

Patients authenticate with credentials the clinic provides; they cannot browse other patients or unrelated clinics.

Consent preferences, immutable consent history, and privacy policy version tracking help clinics explain patient choices.

AI clinical summary is assistive only, consent-gated, and reviewable. Clinicians verify against the full chart; AI does not autonomously change care plans.

Clinic data is stored on managed cloud infrastructure with regular backups and monitoring. We do not sell patient records for advertising.

For privacy practices, retention, export, and deletion workflows, see our Privacy & Data Protection page.

Limit admin accounts, rotate passwords when staff change, and use role-appropriate logins at the front desk.

Report a security concern via the privacy contact on this site — we respond to clinic administrators and documented patient inquiries.