Clio and compliance protection mechanisms
Clio completes an annual self-assessment of processes, configuration, and control mechanisms to validate our compliance with legislation. Clio subscription plans and offerings include the following protection mechanisms:
- Data encryption in transit and at rest.
- Restricted physical access to production servers.
- Data backups performed multiple times per day.
- Strict logical system access controls.
- Mirrored data center facilities with daily backups to mitigate disaster situations.
- 99.9% uptime Service Level Agreement. Learn more about Clio’s current status and uptime percentages.
Configurable administrative controls available to the customer, including:
- Explicit authorization to customer files to read, download, and edit.
- Monitor access.
- Reporting trail of account activities on both users and content.
- Formally defined and tested breach notification policy.
- Employee training on security policies and controls.
- Highly restricted employee access to customer data files.
Clio and British Columbia rules for trust accounting
Clio is unable to provide regulatory or legal advice; however, Clio clients in BC use our trust ledger report and QuickBooks to meet BC trust requirements.
Clio and the Law Society of Ontario
Clio is unable to provide regulatory or legal advice; however, law firms using Clio have been audited by the Law Society of Ontario and found to be compliant. Documenting all required paperwork in Clio has been found to be sufficient to meet compliance requirements.
Learn more about the Law Society of Ontario’s trust accounting rules.
Clio and PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a data protection law in Canada. PIPEDA is essential in ensuring the rights of individuals to control access to their personal information.
Clio’s product services and business operations meet PIPEDA requirements and our clients’ obligation toward data protection for Canadian residents.
Learn more about PIPEDA.
Clio and HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal United States law that sets standards for the protection of individuals’ medical records and other personal health information.
While there is no official HIPAA certification, Clio completes an annual self-assessment of our processes, configuration, and control mechanisms to validate our compliance with legislation. Additionally, Clio has successfully completed an internal HIPAA attestation examination. This means that we store and process data in a manner that is consistent with HIPAA standards and can help our customers fulfill their Protected Health Information (PHI) obligations.
If your law firm is required to be HIPAA compliant, we can enter into a Business Associate Agreement (BAA) with your organization to help you better support your clients while protecting any ePHI data you may have. Contact Clio's support team or your account manager for more information.
Note: Clio's HIPAA add-on is only available for accounts hosted in the United States. Additionally, if an account has been identified to contain PHI, each user on the account is required to have a HIPAA add-on for the BAA to be applicable.
Important: You cannot redline or edit the Clio BAA. The Clio BAA complies with all mandatory language and is taken directly from HIPAA regulations. Any additional terms and conditions would be unrelated to HIPAA and above what is required to comply with the Standards for Privacy for Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”). Therefore, Clio will not accept any edits to the BAA.
Clio and reporting security bugs or vulnerabilities
If you are aware of a valid security bug and/or security vulnerability on any Clio application (the mobile app, web app, and any add-ons), you can inform Clio's security team by completing Clio's responsible disclosure submission form here. Valid security vulnerabilities in any Clio application may be eligible for a reward. This includes novel discoveries, gaining additional illicit access, and OWASP Top Ten findings. Clio's security team will follow up with next steps within two business days of receiving the report.
Note: Reports that are not disclosed responsibly are not eligible for any reward.
Clio and data residency
For North American Clio accounts, Clio has a US server and a Canadian server. The Canadian server is a separate Canadian-based environment where firms in Canada who are subject to data residency requirements can create their Clio Manage accounts. If your firm is required to store some or all of your client data in Canada, you can store your data on the Canadian server.
If you are a new Clio customer located in Canada and want to store your data on the Canadian server, schedule a demo and contact your sales representative. Your sales representative will complete your account setup on Clio's Canadian server. If you are an existing Clio customer located in Canada and need to store your data in Canada, contact Clio's support team to switch to the Canadian server.
Important: Court Rules and Clio Grow are not available on the Canadian server. Document templates and eSignatures are available on the Canadian server but do not meet data residency requirements since the companies that Clio uses to generate documents and send eSignatures are located in the US. Additionally, third-party integrations will vary by region. You can view Clio's complete list of integrations that can be used on the Canadian server in the Clio App Directory here.