Security

Security And Vulnerability Disclosure

CliniStack is being built for regulated clinical-trial operations. This page summarizes the public security posture and how to report vulnerabilities.

Last updated: June 4, 2026

Security Posture

CliniStack's architecture is designed around tenant isolation, least privilege, synchronous audit evidence, immutable document storage, governed AI, encrypted transport, encrypted storage, minimum-necessary email, and controlled AWS infrastructure. We use current security guidance, including NIST CSF 2.0, CISA Secure by Design principles, and vulnerability prioritization informed by known-exploited vulnerability signals.

CliniStack is not currently claiming SOC 2, ISO 27001, FedRAMP, HITRUST, or other third-party certification on this public page. Customer-facing compliance commitments must be made in signed agreements and supported by validation and security evidence.

HIPAA And Regulated Data

AWS BAA coverage has been accepted for the AWS account used by the bootstrap foundation, but public website and public email channels are not approved intake paths for PHI, subject identifiers, source records, safety reports, or regulated trial evidence. Customer PHI or regulated records must be handled only through the governed application environment and signed customer terms.

Public Website Controls

HTTPS through CloudFront with HTTP redirected to HTTPS.
Private S3 origin protected by CloudFront Origin Access Control.
HSTS, frame-deny, content-type, and referrer-policy response headers.
Static-site deployment through GitHub Actions OIDC, not long-lived AWS access keys.
Public inbound email archived in AWS-controlled storage with metadata-only operator notification.

Report A Vulnerability

Send security reports to security@clinistack.dev. Include a clear description, affected URL or component, steps to reproduce, observed impact, and whether any data was exposed. Do not include PHI or regulated trial records in a public security report.

We aim to acknowledge credible reports within three business days and provide a triage update within ten business days. Timelines can change based on severity, reproducibility, third-party dependency involvement, and legal obligations.

Good-Faith Research Rules

For public assets you may perform non-destructive testing that stays within these rules:

Do not access, modify, delete, exfiltrate, or retain data that is not yours.
Stop testing and report immediately if you encounter non-public data.
Do not perform denial-of-service, spam, phishing, social engineering, physical attacks, or destructive tests.
Do not test customer tenants, non-public environments, employees, contractors, vendors, or personal accounts.
Do not publicly disclose a vulnerability before we have had a reasonable opportunity to investigate and remediate it.

Safe Harbor

If your research follows this policy, is limited to public CliniStack-owned assets, avoids harm, and is reported promptly, CliniStack will not pursue legal action against you for that good-faith research. This does not authorize access to third-party systems or customer data, and it does not waive rights for conduct outside this policy.

No Bug Bounty Yet

We do not currently operate a paid bug bounty program. Submission of a report does not create a right to compensation, employment, attribution, or public acknowledgment.

Machine-Readable Contact

The machine-readable vulnerability contact file is available at /.well-known/security.txt.