Security is foundational to RAi. Our customers handle sensitive regulatory documentation for medical device companies, and we take our responsibility to protect that data seriously. This page describes our security posture, infrastructure, access controls, and data handling.
RAi is built on proven, enterprise-grade infrastructure providers — we do not run our own data centers. This approach means you benefit from the security investments those providers have already made.
Our API runs on Cloudflare Workers, a globally distributed edge compute platform. Cloudflare provides DDoS protection, WAF (Web Application Firewall), TLS termination, and operates under ISO 27001, PCI DSS Level 1, and other independent security frameworks. All traffic to RAi is served exclusively over HTTPS. HTTP requests are permanently redirected to HTTPS.
Customer Data (documents, metadata, audit logs, org records) is stored in Supabase, which runs on AWS in the us-east-1 region. Supabase provides encryption at rest (AES-256), encryption in transit (TLS 1.2+), automated daily backups with point-in-time recovery, and Row-Level Security (RLS) enforcement at the database layer. Supabase maintains independent third-party security certifications, available through its trust portal.
Uploaded document files are stored in Supabase Storage (AWS us-east-1) with encryption at rest (AES-256) and are accessed only via time-limited signed URLs generated by our API after verifying the requesting user's organization membership and permissions. Documents imported from a connected Microsoft 365 tenant are read on demand via the Microsoft Graph API using OAuth tokens you authorize.
RAi runs on infrastructure operated by Cloudflare and Supabase/AWS, both of which maintain independent third-party security certifications available through their trust portals. Our application-layer controls — access management, audit logging, secret handling, and incident response — are designed and operated to recognized security best practices.
For security reviews, vendor assessments, or specific compliance documentation, contact security@clemtechmedical.com and our team will work directly with your security organization.
Our Data Processing Agreement (DPA) — including the sub-processor list, technical and organizational measures, and Standard Contractual Clauses — is available for enterprise customers.
RAi is a regulatory affairs and QMS platform. Its intended use is to store and manage QMS documentation, device technical files, 510(k) preparation materials, project records, and similar non-patient-specific content. Medical device regulatory documentation — DHFs, risk management files, design records — generally does not constitute PHI under HIPAA as long as it does not contain patient-identifiable information.
Some customers may wish to upload clinical study protocols or post-market surveillance data that could contain patient identifiers. If this applies to you:
Our key sub-processors and their HIPAA status are:
| Sub-Processor | Purpose | HIPAA BAA Available |
|---|---|---|
| Supabase (AWS us-east-1) | Database, Auth & file storage | Yes |
| Cloudflare Workers | API edge compute | Yes (Enterprise) |
| Anthropic (Claude API) | AI chat & analysis | Available — contact Anthropic |
| Microsoft Graph | SharePoint / OneDrive document import (customer-authorized) | Via your Microsoft 365 agreement |
| Resend | Transactional & outreach email delivery | N/A (email addresses only, no PHI) |
| Stripe | Payment processing | N/A (payment data only, no PHI) |
Note: Anthropic's API does not train on API inputs by default. However, if your organization requires a formal BAA covering AI processing, you should contact Anthropic directly.
RAi enforces role-based access control (RBAC) within every Organization. The available roles and their capabilities are:
| Role | Description |
|---|---|
| Owner | Full access; manage billing, members, and all data |
| Admin | Manage members and all content; cannot change billing |
| Member | Create, edit, and sign documents; manage projects |
| Consultant | Read access plus predicate search; cannot sign documents |
| Viewer | Read-only access to documents and projects |
All role checks are enforced at the API layer in our Cloudflare Worker — the front-end UI is for display purposes only and cannot bypass server-side authorization. Organization isolation is enforced at the database layer via Supabase Row-Level Security policies that filter all queries by org_id.
RAi includes an electronic signature feature aligned with the principles of 21 CFR Part 11 (FDA's rule on electronic records and signatures). Our implementation provides:
Every significant action in RAi is written to an immutable audit log. Recorded events include: user login and logout, document upload, download, edit, and deletion, e-signature events, project creation and modification, team member role changes, and AI chat interactions. Audit logs include a timestamp, user ID, user email, action type, target object ID, and relevant metadata.
Audit log entries are retained for a minimum of 7 years to support regulatory and quality management requirements, including 21 CFR Part 820 and ISO 13485 records retention requirements.
Audit logs can be exported by Organization Owners and Administrators from the Audit Log page within the RAi application.
Every query to our database includes an org_id filter enforced by Row-Level Security (RLS). It is architecturally impossible for a query from one organization's authenticated session to return data belonging to a different organization.
Supabase provides automated daily backups with point-in-time recovery. Our Recovery Time Objective (RTO) and Recovery Point Objective (RPO) depend on Supabase's infrastructure SLAs, which are available at supabase.com.
No secrets, API keys, or tokens are embedded in client-side JavaScript. All sensitive values are stored as Cloudflare Worker environment secrets and accessed only server-side at runtime.
In the event of a confirmed security incident involving Customer Data, we will:
To report a security incident or potential vulnerability, email us immediately at security@clemtechmedical.com.
We welcome reports of security vulnerabilities from security researchers and customers. If you discover a potential security issue in RAi, please:
We do not currently operate a paid bug bounty program, but we deeply appreciate responsible disclosure and will acknowledge valid reports.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR) or equivalent laws, including the right to access, correct, delete, or export your personal data.
Our primary data processing occurs in the United States (AWS us-east-1). Data transfers from the EEA to the US rely on Standard Contractual Clauses (SCCs) as provided in Supabase's data processing agreements. We are not an established business in the EEA and do not designate an EU representative at this time; if you have GDPR concerns, contact us at privacy@clemtechmedical.com.
For a full description of data we collect and how we use it, see our Privacy Policy.
We use the following sub-processors to deliver the Service:
| Vendor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase / AWS | Database, Auth, Storage | Customer Data, user accounts, files | US (us-east-1) |
| Cloudflare | CDN, Workers, WAF | All traffic (edge compute) | Global edge |
| Anthropic | AI (Claude API) | Chat inputs / AI prompts | US |
| Microsoft Graph | SharePoint / OneDrive import | Documents you choose to import | Your M365 region |
| Resend | Email delivery | Recipient email addresses, message content | US |
| Stripe | Payment processing | Billing info (no PHI) | US |
| Plausible | Privacy-preserving web analytics | Aggregate page views (no cookies, no PII) | EU |
We do not sell your data to third parties. Sub-processors are only permitted to process your data as needed to provide the Service.