ClinicalFlow is built from the ground up with a local-first architecture. Transcripts, notes, and patient information are processed and stored entirely on your computer — not on our servers, not in the cloud. We can’t see it because we never have it.
We didn’t bolt security on after the fact. ClinicalFlow’s core architecture makes data exposure structurally impossible in the default configuration.
Audio recording, transcription, and note generation all happen on your machine. In offline mode, ClinicalFlow makes zero outbound network connections with clinical data. Your computer is the server.
Your settings and API keys are encrypted with a PIN-derived key using AES-256-GCM and PBKDF2 with 100,000 iterations. Even if someone copies your config file, they cannot read it without your PIN.
Our servers store only your email, subscription status, and license key. We never receive transcripts, clinical notes, patient names, dental charts, audio recordings, or any Protected Health Information.
Complete transparency about every data flow in both modes. No fine print.
Data that leaves your device: nothing.
Data routes directly from your device to the AI provider. We are never an intermediary.
A detailed look at how each category of data is protected.
| Data | Location | Encryption | Who can access |
|---|---|---|---|
| Transcripts & clinical notes | Your device only | OS-level (FileVault / BitLocker recommended) | Only you |
| API keys & settings | Your device — config.json |
AES-256-GCM + PBKDF2 (100k iterations, PIN-derived) | Only you (requires your PIN) |
| Auth tokens & license | Your device — session.json |
AES-256-GCM (app-key encrypted) | The application |
| Account data | Our server (Supabase) | TLS 1.2+ in transit, encrypted at rest, Row Level Security | You + our server (email & subscription only) |
| Payment info | Stripe (PCI DSS Level 1) | Stripe’s infrastructure | Stripe only — we never see full card numbers |
| Audio recordings | Processed in memory, never written to disk | N/A — ephemeral | Only you during the session |
ClinicalFlow is a documentation assistant, not a replacement for clinical judgment.
All AI systems — including the models used by ClinicalFlow — can generate content that sounds plausible but is factually incorrect. This is known as “hallucination” and is an inherent limitation of current AI technology, not a bug specific to ClinicalFlow.
You must review every AI-generated note for accuracy before signing, filing, or submitting it to any medical record system. AI-generated notes are drafts — not finalized clinical documentation. The signing clinician bears full responsibility for the accuracy and completeness of any note entered into the patient’s medical record.
ClinicalFlow includes a built-in two-pass verification system that runs a second AI review to check for hallucinations, contradictions, omissions, and miscategorizations. While this significantly reduces errors, it does not eliminate them entirely. Verification is an aid, not a guarantee.
What hallucination can look like in clinical notes:
By using ClinicalFlow, you acknowledge that AI-generated notes are preliminary drafts intended to accelerate your workflow — not to replace your clinical expertise, judgment, or responsibility. Always read the full note against the transcript before signing.
ClinicalFlow’s local-first architecture inherently minimizes HIPAA risk by keeping PHI off external servers entirely.
Because clinical data is processed locally, there is no PHI transmission to ClinicalFlow servers — eliminating the primary HIPAA risk vector for cloud-based documentation tools.
PIN-based encryption for application data, separate session authentication, and automatic token expiration ensure that only authorized users access the application.
Local activity logging supports compliance documentation requirements. All data access events stay on your device for your records.
Export notes as PDF or plain text at any time. No vendor lock-in, no data hostage. Your documentation is yours to move freely.
AES-256-GCM encryption for settings and credentials. We recommend enabling FileVault (macOS) or BitLocker (Windows) for full-disk encryption of clinical files.
If your organization requires a Business Associate Agreement, contact us at privacy@clinicalflow.us. We are committed to supporting your compliance needs.
Straight answers to the questions we hear most from providers and compliance officers.
No. Never. All clinical data — transcripts, notes, dental charts, patient information, audio — stays exclusively on your local device. Our servers only store your email address, subscription status, and license key. We have no mechanism to access, view, or retrieve your clinical data because it is never transmitted to us.
ClinicalFlow is designed with HIPAA compliance in mind and our local-first architecture inherently minimizes the risk vectors that most cloud-based documentation tools face. In offline mode, no PHI ever leaves your device, which eliminates the most common compliance concerns.
However, HIPAA compliance is a shared responsibility. Each healthcare organization should conduct their own risk assessment. If you choose to use optional cloud AI features (Deepgram, Claude), you are sending data to third-party providers using your own API keys, and you should ensure those providers meet your compliance requirements. We are happy to provide a BAA upon request.
In online mode, audio and transcript data flow directly from your device to the AI provider (Deepgram for transcription, Anthropic for note generation) using your own API keys. ClinicalFlow’s servers are never involved in this data flow — we are not an intermediary, relay, or proxy.
Both Deepgram and Anthropic offer enterprise-grade security, SOC 2 compliance, and HIPAA-eligible plans. We recommend reviewing their privacy policies and, if applicable, obtaining BAAs directly from them for your practice.
The legal standard for clinical documentation has not changed: the signing clinician is responsible for the accuracy of the medical record. Whether you type a note yourself, dictate it, or use an AI assistant, the same standard of care applies.
ClinicalFlow generates draft notes that you must review, edit, and approve before signing. If you treat AI output as a starting point — carefully reviewing it against the encounter — you are using the tool as intended. The risk arises when clinicians sign notes without reading them, regardless of how the note was produced.
We strongly recommend: (1) always reviewing the full note against the transcript, (2) using ClinicalFlow’s built-in verification pass, and (3) making corrections before signing. This workflow is consistent with established standards for dictation and scribe-assisted documentation.
ClinicalFlow’s configuration and API keys are encrypted with your PIN (AES-256-GCM). Without your PIN, this data cannot be decrypted. For maximum protection of clinical files, we strongly recommend enabling full-disk encryption on your computer:
macOS: System Settings → Privacy & Security → FileVault → Turn On
Windows: Settings → Privacy & Security → Device Encryption → Turn On (or enable BitLocker)
With full-disk encryption enabled, all data on a stolen device is unreadable without your system password.
No. We do not train any AI models on your clinical data. We never have access to your clinical data in the first place. When using cloud AI providers (Deepgram, Anthropic) with your own API keys, their data retention and training policies apply — both providers offer options to opt out of training. Anthropic’s API usage is not used for model training by default.
Local data: Delete the ClinicalFlow application data folder on your device. On macOS: ~/Library/Application Support/com.clinicalflow.ai/. This permanently removes all local transcripts, notes, and encrypted settings.
Server data: Use the “Delete Account” option in your account settings, or email privacy@clinicalflow.us. We will permanently delete your account, profile, and license data within 30 days.
We’re happy to discuss your organization’s specific compliance requirements. Reach out to our security team or read our full legal policies.