Data Security & Privacy

CareClinicResourcesData Security & Privacy
How we protect your health information

We treat your data as protected health information and secure it from collection to storage. CareClinic is built on secure AWS infrastructure with strict access controls and continuous monitoring. We apply strong encryption, privacy by design, and independent assessments to keep your information safe. You control your data and can export or delete it at any time.

How we protect PHI

  • Privacy by design across app, APIs, and databases.
  • Role based access control and least privilege for staff.
  • Audit logging for all administrative and data access events.
  • Encrypted automated backups and disaster recovery procedures.
  • Network isolation with VPCs, WAF, and automated intrusion detection.
Compliance by region

  • United States: HIPAA safeguards and Business Associate practices where applicable.
  • Canada: PIPEDA aligned. Privacy Impact Assessment and Threat Risk Assessment completed.
  • European Union and UK: GDPR principles supported, including data subject rights and DPA on request.
  • Other regions: Local privacy requirements reviewed before clinical deployments.
Encryption standards

  • Data in transit protected with TLS 1.2+ and HSTS.
  • Data at rest encrypted with AES 256.
  • Secrets and keys stored in managed KMS with rotation.
  • Device level encryption respected for native app storage where supported.
Who sees what data

  • You control your profile, logs, and shares. Exports and deletions are available inside the app.
  • Care teams only see data you choose to share with them.
  • CareClinic staff cannot view personal entries unless you request support that requires limited, logged access.
  • Aggregated analytics use de identified data with safeguards to prevent re identification.
Security certifications and reviews

  • HIPAA aligned administrative, physical, and technical controls.
  • PIPEDA compliance for Canadian users and organizations.
  • SOC 2 Type II and ISO 27001 audits in progress. Status available on request for enterprise customers.
  • Vendor risk reviews, penetration testing, and continuous vulnerability management.

Questions or requests about your data rights, a Data Processing Agreement, or security documentation can be sent to our privacy team at privacy@careclinic.io.