R
RAi by Clemtech Medical Solutions

Security & HIPAA Disclosure

Last updated: May 28, 2026

Security is foundational to RAi. Our customers handle sensitive regulatory documentation for medical device companies, and we take our responsibility to protect that data seriously. This page describes our security posture, infrastructure, access controls, and data handling.

Security at a Glance

🔒
TLS 1.2+ in transit
✓ Enabled (Cloudflare)
🔐
AES-256 at rest
✓ Supabase / Cloudflare
🔑
MFA / 2FA
✓ Supported via Supabase Auth
🛡️
Row-Level Security
✓ Enabled on all tables
📋
Audit Log
✓ Every action recorded
✍️
E-Signature (21 CFR 11)
✓ Aligned (not FDA-audited)
🏥
HIPAA BAA
◯ Available on request
🌍
GDPR
◯ Data rights supported
🐛
Bug Bounty
◯ Responsible disclosure

Infrastructure & Architecture

RAi is built on proven, enterprise-grade infrastructure providers — we do not run our own data centers. This approach means you benefit from the security investments those providers have already made.

Cloudflare

Our API runs on Cloudflare Workers, a globally distributed edge compute platform. Cloudflare provides DDoS protection, WAF (Web Application Firewall), TLS termination, and operates under ISO 27001, PCI DSS Level 1, and other independent security frameworks. All traffic to RAi is served exclusively over HTTPS. HTTP requests are permanently redirected to HTTPS.

Supabase

Customer Data (documents, metadata, audit logs, org records) is stored in Supabase, which runs on AWS in the us-east-1 region. Supabase provides encryption at rest (AES-256), encryption in transit (TLS 1.2+), automated daily backups with point-in-time recovery, and Row-Level Security (RLS) enforcement at the database layer. Supabase maintains independent third-party security certifications, available through its trust portal.

Document File Storage

Uploaded document files are stored in Supabase Storage (AWS us-east-1) with encryption at rest (AES-256) and are accessed only via time-limited signed URLs generated by our API after verifying the requesting user's organization membership and permissions. Documents imported from a connected Microsoft 365 tenant are read on demand via the Microsoft Graph API using OAuth tokens you authorize.

Network Security

Compliance & Vendor Reviews

RAi runs on infrastructure operated by Cloudflare and Supabase/AWS, both of which maintain independent third-party security certifications available through their trust portals. Our application-layer controls — access management, audit logging, secret handling, and incident response — are designed and operated to recognized security best practices.

For security reviews, vendor assessments, or specific compliance documentation, contact security@clemtechmedical.com and our team will work directly with your security organization.

Our Data Processing Agreement (DPA) — including the sub-processor list, technical and organizational measures, and Standard Contractual Clauses — is available for enterprise customers.

HIPAA Disclosure

RAi is not designed or marketed as a HIPAA-covered application. Do not upload Protected Health Information (PHI) without a signed Business Associate Agreement (BAA).

RAi is a regulatory affairs and QMS platform. Its intended use is to store and manage QMS documentation, device technical files, 510(k) preparation materials, project records, and similar non-patient-specific content. Medical device regulatory documentation — DHFs, risk management files, design records — generally does not constitute PHI under HIPAA as long as it does not contain patient-identifiable information.

If You Need PHI Processing

Some customers may wish to upload clinical study protocols or post-market surveillance data that could contain patient identifiers. If this applies to you:

Sub-Processors Relevant to HIPAA

Our key sub-processors and their HIPAA status are:

Sub-ProcessorPurposeHIPAA BAA Available
Supabase (AWS us-east-1)Database, Auth & file storageYes
Cloudflare WorkersAPI edge computeYes (Enterprise)
Anthropic (Claude API)AI chat & analysisAvailable — contact Anthropic
Microsoft GraphSharePoint / OneDrive document import (customer-authorized)Via your Microsoft 365 agreement
ResendTransactional & outreach email deliveryN/A (email addresses only, no PHI)
StripePayment processingN/A (payment data only, no PHI)

Note: Anthropic's API does not train on API inputs by default. However, if your organization requires a formal BAA covering AI processing, you should contact Anthropic directly.

Access Control

RAi enforces role-based access control (RBAC) within every Organization. The available roles and their capabilities are:

RoleDescription
OwnerFull access; manage billing, members, and all data
AdminManage members and all content; cannot change billing
MemberCreate, edit, and sign documents; manage projects
ConsultantRead access plus predicate search; cannot sign documents
ViewerRead-only access to documents and projects

All role checks are enforced at the API layer in our Cloudflare Worker — the front-end UI is for display purposes only and cannot bypass server-side authorization. Organization isolation is enforced at the database layer via Supabase Row-Level Security policies that filter all queries by org_id.

Electronic Signatures (21 CFR Part 11)

RAi includes an electronic signature feature aligned with the principles of 21 CFR Part 11 (FDA's rule on electronic records and signatures). Our implementation provides:

Note: "21 CFR Part 11 aligned" means our system is designed to support the key requirements of that regulation. We have not undergone a formal Part 11 audit or third-party validation. Your Quality team should assess our implementation against your specific needs and document their evaluation in your system validation records.

Audit Logging

Every significant action in RAi is written to an immutable audit log. Recorded events include: user login and logout, document upload, download, edit, and deletion, e-signature events, project creation and modification, team member role changes, and AI chat interactions. Audit logs include a timestamp, user ID, user email, action type, target object ID, and relevant metadata.

Audit log entries are retained for a minimum of 7 years to support regulatory and quality management requirements, including 21 CFR Part 820 and ISO 13485 records retention requirements.

Audit logs can be exported by Organization Owners and Administrators from the Audit Log page within the RAi application.

Data Protection Practices

Encryption

Data Isolation

Every query to our database includes an org_id filter enforced by Row-Level Security (RLS). It is architecturally impossible for a query from one organization's authenticated session to return data belonging to a different organization.

Backup and Recovery

Supabase provides automated daily backups with point-in-time recovery. Our Recovery Time Objective (RTO) and Recovery Point Objective (RPO) depend on Supabase's infrastructure SLAs, which are available at supabase.com.

Secrets Management

No secrets, API keys, or tokens are embedded in client-side JavaScript. All sensitive values are stored as Cloudflare Worker environment secrets and accessed only server-side at runtime.

Incident Response

In the event of a confirmed security incident involving Customer Data, we will:

To report a security incident or potential vulnerability, email us immediately at security@clemtechmedical.com.

Responsible Disclosure

We welcome reports of security vulnerabilities from security researchers and customers. If you discover a potential security issue in RAi, please:

We do not currently operate a paid bug bounty program, but we deeply appreciate responsible disclosure and will acknowledge valid reports.

GDPR & International Data

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR) or equivalent laws, including the right to access, correct, delete, or export your personal data.

Our primary data processing occurs in the United States (AWS us-east-1). Data transfers from the EEA to the US rely on Standard Contractual Clauses (SCCs) as provided in Supabase's data processing agreements. We are not an established business in the EEA and do not designate an EU representative at this time; if you have GDPR concerns, contact us at privacy@clemtechmedical.com.

For a full description of data we collect and how we use it, see our Privacy Policy.

Third-Party Sub-Processors

We use the following sub-processors to deliver the Service:

VendorPurposeData ProcessedLocation
Supabase / AWSDatabase, Auth, StorageCustomer Data, user accounts, filesUS (us-east-1)
CloudflareCDN, Workers, WAFAll traffic (edge compute)Global edge
AnthropicAI (Claude API)Chat inputs / AI promptsUS
Microsoft GraphSharePoint / OneDrive importDocuments you choose to importYour M365 region
ResendEmail deliveryRecipient email addresses, message contentUS
StripePayment processingBilling info (no PHI)US
PlausiblePrivacy-preserving web analyticsAggregate page views (no cookies, no PII)EU

We do not sell your data to third parties. Sub-processors are only permitted to process your data as needed to provide the Service.

Contact Our Security Team