Data Security & Compliance

Safety and Intended Use

• CareClinic is a self-management and tracking platform that helps users record, organize, and share their own health information.
• CareClinic does not diagnose, prescribe, or make clinical decisions. It supports symptom awareness, adherence, and communication with healthcare professionals.
• Design and release practices aim to reduce user error, protect data integrity, and maintain reliable operation.

How we protect PHI

• • Privacy by design across apps, APIs, and databases.
  • Role-based access control and least privilege for staff.
  • Audit logging for administrative and data access events.
  • Encrypted automated backups and disaster recovery procedures.
  • Network isolation with VPCs, WAFs, and automated intrusion detection.
  • Verifiable clinical records imported from the Apple Health app are treated as PHI, encrypted in transit and at rest, used only for the user’s personal health management, and are not used for advertising, eligibility decisions, or shared with third parties except as described in our Privacy Policy or when required by law.

Quality, Performance, and Reliability

• 24/7 monitoring for uptime, latency, and errors with automated alerts.
• Target uptime greater than 99 percent backed by multi-AZ and multi-region redundancy.
• Staged deployments with unit, integration, and regression tests before release.
• Issue tracking with severity levels, service level targets, and documented fix cycles.
• Capacity planning and load testing to maintain performance under peak usage.

Data residency and backups

• Primary hosting in Canada and the United States on AWS.
• Backups are encrypted and replicated across separate availability zones.
• Weekly backup integrity checks and periodic restore drills.
• Regional isolation and residency options can be arranged for enterprise deployments.

Encryption standards

• Data in transit protected with TLS 1.2+ and HSTS.
• Data at rest is encrypted with AES-256.
• Secrets and keys are stored in managed KMS with rotation and access logging.
• Device-level encryption is respected for native app storage where supported.

Incident response: defined detection, containment, and notification procedures. All incidents are logged, triaged within 24 hours, and reported to relevant parties or regulators as required by law. Root cause analysis and corrective actions are tracked to closure.

Who sees what data

• You control your profile, logs, and shares. Exports and deletions are available inside the app.
• Care teams only see data you choose to share with them.
• CareClinic staff cannot view personal entries unless you request support that requires limited, logged access.
• Aggregated analytics use de-identified data that cannot be linked back to individual users and are used for service improvement and operational insights.

Vendor and access control

• Third-party vendors sign Data Processing Agreements and undergo risk assessment before approval.
• Least-privilege access with quarterly reviews and immediate revocation on role change.
• Multi-factor authentication is required for administrative and support access.
• All integrations use scoped keys, rotating credentials, and IP or role restrictions.

Security certifications and reviews

• HIPAA-aligned administrative, physical, and technical controls.
• PIPEDA alignment for Canadian users and organizations.
• SOC 2 Type II and ISO 27001 audits in progress. Status available on request for enterprise customers.
• Annual third-party penetration testing and recurring vulnerability assessments.
• Continuous vulnerability management and timely patching based on severity.

Risk management

• Formal risk register covering data protection, functional reliability, and user safety.
• Quarterly reviews and reassessment after major releases or regulatory changes.
• Mitigation plans tracked to closure with evidence and owner accountability.

Post-market review and corrective action

• Scheduled review of system logs, error reports, analytics, and user feedback.
• Signal detection for safety, usability, and performance issues.
• Documented corrective and preventive actions released through app and service updates.

Usability and accessibility

• User interfaces were reviewed with patients and caregivers to reduce data entry errors.
• Plain language labels and consistent navigation patterns.
• Design informed by WCAG 2.1 and ISO 62366 principles where applicable.

Compliance by region

• United States: HIPAA safeguards and Business Associate practices where applicable.
• Canada: PIPEDA aligned. Privacy Impact Assessment and Threat Risk Assessment completed.
• European Union and UK: GDPR principles supported, including data subject rights and DPA on request.
• Other regions: Local privacy and security requirements reviewed before clinical or enterprise deployments.

Enterprise and compliance requests: Enterprise, clinical, or research partners may request a Data Protection Agreement, PIA or TRA summary, penetration test attestation, or current audit status by contacting support@careclinic.io.