CareCentra - Predicting health. Preventing decline.
Compliance

Security at CareCentra

Healthcare demands the highest bar. We protect patient data with enterprise-grade infrastructure, rigorous certifications, and a security-first engineering culture.

SOC 2 Type II

Independently audited

HIPAA Compliant

BAA included

Pen Tested

Regular third-party audits

OVERVIEW

How We Protect Your Data

CareCentra processes sensitive health information for patients, providers, and payers. Security is not a feature we bolt on -- it is foundational to how we build, deploy, and operate.

Encryption Everywhere

All data encrypted in transit (TLS 1.2+) and at rest (AES-256). Database-level encryption with customer-isolated key management. No unencrypted PHI leaves our systems.

Cloud Infrastructure

Hosted on SOC 2-certified cloud infrastructure with multi-region redundancy, automated failover, and 99.9% uptime SLA. All environments logically isolated per customer.

Access Controls

Role-based access control (RBAC) with least-privilege defaults. Multi-factor authentication enforced for all internal systems. Privileged access reviewed quarterly.

Network Security

Web application firewall, DDoS protection, and intrusion detection across all entry points. VPN-only access to production. Network segmentation isolates clinical data.

Audit Logging

Comprehensive, tamper-evident audit logs capture every access, modification, and export of patient data. Logs retained for a minimum of six years per HIPAA requirements.

Secure Development

Security is embedded in our SDLC: threat modeling, static and dynamic analysis, dependency scanning, peer code review, and pre-deployment security gates on every release.

CERTIFICATIONS & TESTING

Independently Verified

Trust shouldn't be taken at face value. Our security posture is validated by independent auditors and tested by third-party specialists.

SOC 2 Type II Certification

CareCentra has completed a SOC 2 Type II examination covering the Trust Services Criteria for security, availability, and confidentiality. Our audit covers the full platform -- infrastructure, application layer, and operational processes. Reports are available to customers and prospects under NDA upon request.

Penetration Testing

We engage independent, third-party security firms to conduct penetration testing against our application and infrastructure at least annually. Testing scope includes:

  • External network and application-layer testing
  • Authenticated testing of clinical workflows and API endpoints
  • Social engineering and phishing resilience assessments
  • Remediation verification and retest cycles

Continuous Monitoring

Beyond point-in-time testing, we maintain continuous vulnerability scanning, real-time threat detection, and automated compliance monitoring across our production environment. Critical vulnerabilities are triaged within 24 hours and remediated within defined SLA windows.

INCIDENT RESPONSE

When It Matters Most

No system is immune to risk. What matters is how fast you detect, respond, and recover. We maintain a documented incident response program tested through regular tabletop exercises.

Response Protocol

Our incident response plan follows NIST SP 800-61 guidelines and covers identification, containment, eradication, recovery, and post-incident review. Designated security personnel are on-call 24/7/365. Affected customers and regulatory bodies are notified within the timeframes required by HIPAA and applicable state breach notification laws -- and in practice, we aim to notify materially faster than required.

Business Continuity

CareCentra maintains a business continuity and disaster recovery program with defined recovery time and recovery point objectives. Backups are encrypted, geographically distributed, and tested for restoration integrity on a regular schedule. Our platform is designed for graceful degradation -- critical patient safety functions are prioritized in any partial-outage scenario.

PEOPLE & PARTNERS

Security Is a Culture, Not a Checkbox

Technology controls only work when the people and vendors around them are held to the same standard.

Employee Security

  • Background checks on all employees with access to production systems or PHI
  • Mandatory HIPAA and security awareness training at onboarding and annually
  • Phishing simulation campaigns conducted quarterly
  • Endpoint protection and mobile device management on all company devices
  • Immediate access revocation upon termination or role change

Vendor Risk Management

  • Third-party risk assessments for all vendors handling PHI or with network access
  • Business Associate Agreements (BAAs) executed before any PHI is shared
  • Annual vendor re-evaluation and SOC 2 report review
  • Subprocessor list maintained and available to customers upon request

RESPONSIBLE DISCLOSURE

Report a Vulnerability

We appreciate the work of security researchers who help us keep our platform safe. If you believe you have discovered a security vulnerability in CareCentra, please report it responsibly.

How to Report

Email security@carecentra.com with a description of the vulnerability, steps to reproduce, and any supporting evidence. We commit to acknowledging receipt within two business days, providing an initial assessment within five business days, and keeping you informed of remediation progress. We will not pursue legal action against researchers who follow responsible disclosure practices.

Need Our Security Documentation?

SOC 2 reports, penetration test summaries, and our security questionnaire responses are available under NDA.

Request Security Package