CareLoopWe care.
Sign inStart trial

Trust & security

Security built for healthcare data

Care providers handle some of the most sensitive personal data in existence. We treat it that way — with controls equivalent to a modern bank, not a typical SaaS app.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Database connections require SSL. Backups encrypted with separate KMS keys.

Tenant isolation by RLS

Every row carries an organization_id. Postgres Row Level Security prevents cross-tenant reads — even our service code can't bypass without explicit override and an audit log entry.

MFA for admins

Mandatory TOTP for org_admin and super_admin roles. Hardware key support (FIDO2) on Enterprise.

Daily encrypted backups

Point-in-time recovery to any second within the last 7 days. Daily snapshots retained for 30 days. Quarterly restore-test.

UK / EU hosting

Production runs in AWS eu-west-2 (London) and Vercel London. No US data residency unless contractually required.

Least-privilege access

Engineers access production via short-lived assumed roles, MFA-required, all queries audited. Dual-control for any production write.

Annual penetration testing

External CREST-accredited tester runs an annual pentest. Findings tracked publicly via our /security/changelog (Enterprise).

Full audit log

Every privileged action, every admin login, every data export — logged immutably for 6 years to align with care-sector record-keeping.

Network protection

Cloudflare WAF + DDoS shielding. Rate-limiting by IP and user. Bot management.

Compliance

ICO-registered. UK GDPR. NHS DSPT submission supported. Cyber Essentials Plus certified. ISO 27001 in progress (Q4 2026).

Vendor incident response

24-hour breach notification to controllers. 30-min internal SLA for critical incidents. Quarterly tabletop exercises.

Data minimisation

Only collect what we need to run the service. Health data structured to allow per-field redaction in DSAR exports.

Reporting a vulnerability

We welcome responsible disclosure. Email security@careloop.com with full details. We acknowledge within 24 hours, fix high-severity findings within 7 days, and credit you (with your consent) on our security hall-of-fame at /security/credits.

Our PGP key is available at /.well-known/security.txt.