Have more questions? Submit a request

Clio and compliance protection mechanisms

Clio completes an annual self-assessment of processes, configuration, and control mechanisms to validate our compliance with legislation. Clio subscription plans and offerings include the following protection mechanisms:

  • Data encryption in transit and at rest.
  • Restricted physical access to production servers.
  • Data backups performed multiple times per day.
  • Strict logical system access controls.
  • Mirrored data center facilities with daily backups to mitigate disaster situations.
  • 99.9% uptime Service Level Agreement. Learn more about Clio’s current status and uptime percentages.
  • Configurable administrative controls available to the customer, including:
    • Explicit authorization to customer files to read, download, and edit.
    • Monitor access.
    • Reporting trail of account activities on both users and content.
    • Formally defined and tested breach notification policy.
    • Employee training on security policies and controls.
    • Highly restricted employee access to customer data files.


Clio and British Columbia rules for trust accounting

Clio is unable to provide regulatory or legal advice; however, Clio clients in BC use our trust ledger report and QuickBooks to meet BC trust requirements.

Tip: The Law Society of British Columbia offers trust accounting resources and a trust account handbook for operating a trust account in BC.


Clio and the Law Society of Ontario

Clio is unable to provide regulatory or legal advice; however, law firms using Clio have been audited by the Law Society of Ontario and found to be compliant. Documenting all required paperwork in Clio has been found to be sufficient to meet compliance requirements.


Clio and PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a data protection law in Canada. PIPEDA is essential in ensuring the rights of individuals to control access to their personal information.

Clio’s product services and business operations meet PIPEDA requirements and our clients’ obligation toward data protection for Canadian residents.

Learn more about PIPEDA.


Clio and HIPAA 

The Health Insurance Portability and Accountability Act (HIPAA) is a federal United States law that sets standards for the protection of individuals’ medical records and other personal health information.

While there is no official HIPAA certification, Clio completes an annual self-assessment of our processes, configuration, and control mechanisms to validate our compliance with legislation. Additionally, Clio has successfully completed an internal HIPAA attestation examination. This means that we store and process data in a manner that is consistent with HIPAA standards and can help our customers fulfill their Protected Health Information (PHI) obligations.

If your law firm is required to be HIPAA compliant, we can enter into a Business Associate Agreement (BAA) with your organization to help you better support your clients while protecting any ePHI data you may have. Contact Clio's support team or your account manager for more information.

Note: Clio's HIPAA add-on is only available for accounts hosted in the United States. Additionally, if an account has been identified to contain PHI, each user on the account is required to have a HIPAA add-on for the BAA to be applicable. 

Important: You cannot redline or edit the Clio BAA. The Clio BAA complies with all mandatory language and is taken directly from HIPAA regulations. Any additional terms and conditions would be unrelated to HIPAA and above what is required to comply with the Standards for Privacy for Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”). Therefore, Clio will not accept any edits to the BAA.

Learn more about HIPAA and Clio’s Terms of Service and Privacy Policy.


Clio and reporting security bugs or vulnerabilities

If you are aware of a valid security bug and/or security vulnerability on any Clio application (the mobile app, web app, and any add-ons), you can inform Clio's security team by completing Clio's responsible disclosure submission form here. Valid security vulnerabilities in any Clio application may be eligible for a reward. This includes novel discoveries, gaining additional illicit access, and OWASP Top Ten findings. Clio's security team will follow up with next steps within two business days of receiving the report. 

Note: Reports that are not disclosed responsibly are not eligible for any reward.


Clio and data residency

For North American Clio accounts, Clio has a US server and a Canadian server. The Canadian server is a separate Canadian-based environment where firms in Canada who are subject to data residency requirements can create their Clio Manage accounts. If your firm is required to store some or all of your client data in Canada, you can store your data on the Canadian server. 

If you are a new Clio customer located in Canada and want to store your data on the Canadian server, schedule a demo and contact your sales representative. Your sales representative will complete your account setup on Clio's Canadian server. If you are an existing Clio customer located in Canada and need to store your data in Canada, contact Clio's support team to switch to the Canadian server. 

Important: Court Rules and Clio Grow are not available on the Canadian server. Document templates and eSignatures are available on the Canadian server but do not meet data residency requirements since the companies that Clio uses to generate documents and send eSignatures are located in the US. Additionally, third-party integrations will vary by region. You can view Clio's complete list of integrations that can be used on the Canadian server in the Clio App Directory here


Need more help?

Was this article helpful?
0 out of 0 found this helpful