Security at Caro

Caro cares deeply about keeping our customers' and patients' data secure. Caro is certified for both ISO27001 and NEN7510. Have questions or feedback? Feel free to reach out to us at security@caro.health.

Infrastructure

Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our platform is built on Amazon Web Services. AWS provides strong security measures and is compliant with many certifications.

Hosting

The Caro platform is built on AWS Lambda, SNS, and API Gateway, which are all serverless, so we do not run any traditional servers which could potentially be hacked. Our infrastructure is managed with AWS CloudFormation templates, and all infrastructure changes go through our deployment process on GitLab, which includes automated penetration testing with Puppeteer.

Network level security monitoring and protection

We use AWS Cloudfront in front of the API Gateway and our front-end assets to mitigate the risk of DDoS attacks.

Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs reports for the app and back-end.

Encryption for internal application communication: All internal communication is over encrypted SNS topics, and permissions for these topics are controlled with Cloud Formation templates.

Encryption at rest: Application data is stored in MongoDB Atlas databases, which encrypt all data at rest. Authentication data - phone numbers and passwords - is stored in AWS Cognito, which satisfies the most stringent data security requirements.

Business continuity and disaster recovery

We back up application data and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

Caro does not manage a data centre or individual servers, so compute and storage failures are handled transparently by AWS, and the lowest-level disaster that could affect the application would be the whole AWS eu-west-1 region becoming unavailable.

Application security

Monitoring

We run automated vulnerability scans with Probely every week, in-depth security assessments with Bulwarkers twice a year, and do regular spot checks with Mozilla Observatory.

We use AWS CloudWatch and X-Ray to monitor, log, and trace exceptions.

We run automated traffic watchers which analyse all internal application communication, identify failures and attempted security breaches, and notify us in real time.

We collect and store logs to provide an audit trail of application activity (see audit logging below).

Security in the software development process

All dependencies are audited as part of our automated build process, which will fail if a vulnerability is discovered. Every task is code reviewed for security vulnerabilities before it is merged, following security best practices and frameworks (OWASP Top 10, SANS Top 25).

Responsible disclosure

You can report vulnerabilities by contacting security@caro.health. Please include a proof of concept with your submission. We will respond as quickly as possible and won’t take legal actions if you follow the rules.

Coverage

*.caro.app

*.caro.health

Exclusions:

caro.health

www.caro.health

Internal security policies

Access to infrastructure

2-factor authentication is required for access to our AWS and MongoDB Atlas accounts. Infrastructure in AWS, and databases in MongoDB Atlas, are accessed using specially created profiles with limited permissions.

Audit logging

The Caro platform stores an immutable, cryptographically verifiable log of all activity on sensitive information assets in AWS QLDB. Access to these logs are strictly controlled, and they are reviewed regularly.

Access control and multi-tenancy

The Caro application has strict access control checks leveraging an action-based access control mechanism, and a robust multi-tenancy implementation.

Compliance

GDPR

Caro is compliant to the General Data Protection Regulation (GDPR), including the right to be forgotten and data portability. The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Feel free to reach out to us at security@caro.health for more details on how we comply with GDPR, or have a look at our privacy notice.

ISO27001 / NEN7510

Caro has been certified by Kiwa for both ISO27001 (the international gold standard for information security) and NEN7510 (the Dutch standard for information security in healthcare).