Security at Caro

Caro cares deeply about keeping our customers' and patients' data secure. Have questions or feedback? Feel free to reach out to us at security@caro.health.

Infrastructure

Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our platform is built on Amazon Web Services. AWS provides strong security measures and is compliant with many certifications.

Hosting

The Caro platform is built on AWS Lambda, SNS, and API Gateway, which are all serverless, so we do not run any traditional servers which could potentially be hacked. Our infrastructure is managed with AWS CloudFormation templates, and all infrastructure changes go through our deployment process on GitLab, which includes automated penetration testing with Puppeteer.

Network level security monitoring and protection

We use AWS Cloudfront in front of the API Gateway and our front-end assets to mitigate the risk of DDoS attacks.

Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs reports for the app and back-end.

Encryption for internal application communication: All internal communication is over encrypted SNS topics, and permissions for these topics are controlled with Cloud Formation templates.

Encryption at rest: Application data is stored in MongoDB Atlas databases, which encrypt all data at rest. Authentication data - phone numbers and passwords - is stored in AWS Cognito, which satisfies the most stringent data security requirements.

Data retention and removal

We retain usage data for 9 years for historical reporting purposes. Users can request the removal of personally identifiable data by contacting support@caro.health.

Business continuity and disaster recovery

We back up application data and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

Caro does not manage a data centre or individual servers, so compute and storage failures are handled transparently by AWS, and the lowest-level disaster that could affect the application would be the whole AWS eu-west-1 region becoming unavailable. If this were to happen:

* The application would be deployed into another region - this is relatively simple because the infrastructure is all managed with CloudFormation templates

* Database backups would be imported into the newly deployed environment

* DNS records would be updated to point to the new environment

While we don’t offer an SLA on this eventuality, our estimate is that the process would be completed in 12 hours

Application security

Monitoring

We run weekly automated vulnerability scans with Probely, quarterly in-depth security assessments with Bulwarkers, and do regular spot checks with Mozilla Observatory.

We use AWS CloudWatch and X-Ray to monitor, log, and trace exceptions.

We run automated traffic watchers which analyse all internal application communication, identify failures and attempted security breaches, and notify us in real time.

We collect and store logs to provide an audit trail of application activity (see audit logging below).

Security in the software development process

All dependencies are audited as part of our automated build process, which will fail if a vulnerability is discovered. Every task is code reviewed for security vulnerabilities before it is merged, following security best practices and frameworks (OWASP Top 10, SANS Top 25). We run quarterly in-depth security assessments on the Caro platform.

Responsible disclosure

You can report vulnerabilities by contacting security@caro.health. Please include a proof of concept with your submission. We will respond as quickly as possible and won’t take legal actions if you follow the rules.

Coverage

*.caro.app

*.caro.health

Exclusions:

caro.health

www.caro.health

Internal security policies

Access to infrastructure

2-factor authentication is required for access to our AWS and MongoDB Atlas accounts. Infrastructure in AWS, and databases in MongoDB Atlas, are accessed using specially created profiles with limited permissions.

Audit logging

The Caro application retains a full, immutable history of every action that results in a data change, including the user that made the change, the resource changed, the time of the change, and which interface was used to make the change. In addition a record of every action on the platform is kept for a limited period for analytics and data science purposes. Historical data is only deleted when a user exercises their right to be forgotten, or a customer terminates their contract.

Access control and multi-tenancy

The Caro application has strict access control checks leveraging an action-based access control mechanism, and a robust multi-tenancy implementation.

Compliance

GDPR

Caro is compliant to the General Data Protection Regulation (GDPR), including the right to be forgotten and data portability. The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Feel free to reach out to us at security@caro.health for more details on how we comply with GDPR, or have a look at our record of processing activities.

HIPAA

We are compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of HIPAA is to protect the healthcare information of US citizens.