[ Security ]
Security built forcare data, not checklists.
PHI encryption, passkeys, audit logs, and tenant isolation — the controls that protect the most sensitive data in home care.
Pursuing SOC 2 Type I Certification
Our security controls are aligned with AICPA Trust Service Criteria
How We Protect Your Data
Passkey Authentication (WebAuthn)
Sign in with Face ID, Touch ID, Windows Hello, or hardware security keys. Passkeys are phishing-resistant and eliminate password vulnerabilities entirely.
Two-Factor Authentication (TOTP)
Secure your account with authenticator apps like Google Authenticator or Authy. Time-based one-time passwords add an extra layer beyond your password.
PHI Field-Level Encryption
All protected health information is encrypted at rest using AES-256-CBC encryption. Phone numbers, addresses, dates of birth, and other sensitive fields are never stored in plain text.
Comprehensive Audit Logging
Every access to sensitive data is logged with timestamps, user identification, and action details. Full audit trails enable compliance reporting and security monitoring.
Multi-Tenant Data Isolation
Each organization's data is completely isolated in separate databases. There is no possibility of data leakage between organizations.
Role-Based Access Control
Granular permission levels ensure users only access data relevant to their role. Admins can customize access for case managers, provider admins, and staff.
ESIGN Act Compliant E-Signatures
Built-in digital signatures for onboarding documents (W-4, I-9, HIPAA). Full audit trail with IP address, timestamp, and user agent for legal compliance.
Security Headers & Rate Limiting
Industry-standard security headers (HSTS, CSP, X-Frame-Options) protect against common web vulnerabilities. Rate limiting prevents abuse and brute-force attacks.
Protected Care Photos
Photos attached to visit notes are stored on private, tenant-isolated storage — never public URLs. Location metadata (EXIF/GPS) is stripped automatically on upload, and every view is access-logged.
Self-Hosted Voice Transcription
Voice-dictated notes are transcribed by speech-recognition models running entirely on our own servers. Audio is processed in memory, deleted immediately, and never sent to any third-party AI provider.
HIPAA-Aligned Practices
Our security practices align with HIPAA requirements for protected health information. We implement administrative, physical, and technical safeguards.
Compliance Status
Our Security Commitments
Security Questions?
If you have questions about our security practices or need to report a vulnerability, please contact us.