Security at Caro

Caro is committed to securing the data of our customers and patients. Do you have any questions or feedback? Please feel free to contact us at security@caro.health.

Infrastructure

Cloud infrastructure

All of our services run in the cloud. We do not host or manage our own routers, load-balancers, DNS servers or physical servers. Our platform is built on Amazon Web Services. AWS offers strong security measures and meets many certifications.

Hosting

The Caro platform is built on AWS Lambda, SNS and API Gateway, which are all serverless, so we don't run traditional servers that could potentially be hacked. Our infrastructure is managed with AWS CloudFormation templates and all changes to the infrastructure through our deployment process on GitLab, including automated penetration testing with Puppeteer.

Network security and monitoring

We use AWS Cloudfront for the API Gateway and our front-end assets to reduce the risk of DDoS attacks.

Data encryption

Encryption during transmission: all data sent to or from our infrastructure is encrypted during transmission through industry best practices using Transport Layer Security (TLS). You can view our SSLLabs reports for the app and back-end.

Encryption for internal application communication: all internal communication is via encrypted SNS topics, and permissions for these topics are managed with Cloud Formation templates.

Encryption at rest: application data is stored in MongoDB Atlas databases, which encrypts all data "at-rest. Authentication data - phone numbers and passwords - are stored in AWS Cognito, which meets the most stringent data security requirements.

Business continuity and disaster recovery

We back up application data and try to restore the backup regularly to ensure rapid recovery in the event of a disaster. All of our backups are encrypted.

Caro does not manage a data center or individual servers, so compute and storage failures are handled transparently by AWS, and the lowest-level disaster that can affect the application is that the entire AWS eu-west-1 region becomes unavailable.

Application security

Monitoring

We run weekly automated vulnerability scans with Probely, three monthly in-depth security assessments with Bulwarkers, and do regular sampling with Mozilla Observatory.

We use AWS CloudWatch and X-Ray to monitor, log and track exceptions.

We have automated traffic watchers that analyze all internal application communications, identify errors and attempted security breaches, and notify us in real time.

We collect and retain logs to provide an audit trail of application activity (see audit logs below).

Security in the software development process

All dependencies are checked as part of our automated build process, which will fail if a vulnerability is discovered. Each task is code checked for security issues before being merged, according to security best practices and frameworks (OWASP Top 10, SANS Top 25). We perform quarterly in-depth security assessments on the Caro platform.

Responsible disclosure

You can report vulnerabilities by contacting security@caro.health. Please include a proof of concept with your submission. We will respond as quickly as possible and take no legal action if you comply.

Coverage

* .caro.app

* .caro.health

Exclusions:

caro.health

www.caro.health

Internal security policy

Access to infrastructure

2-factor authentication is required to access our AWS and MongoDB Atlas accounts. Infrastructure in AWS and databases in MongoDB Atlas are accessed using specially created profiles with limited permissions.

Audit registration

The Caro platform stores an immutable, cryptographically verifiable log of all activity on sensitive information assets in AWS QLDB. Access to these logs is strictly controlled and they are reviewed regularly.

Access control and multi-tenancy

The Caro application has strict access controls using an action-oriented access control mechanism and a robust multi-tenancy implementation.

Compliance

GDPR

Caro complies with the General Data Protection Regulation (GDPR), including the right to be forgotten and data portability. The goal of GDPR is to protect EU citizens' private information and give them more control over their personal data. Feel free to contact us at security@caro.health for more information on how we comply with the AVG, or view our privacy statement.

ISO27001 / NEN7510

Caro has implemented an information security management system (ISMS) and Caro is certified by KIWA according to ISO27001 and NEN7510 (Dutch standard for the management of information security in healthcare).

HIPAA

We are in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of HIPAA is to protect the health information of American citizens.