Infrastructure
Cloud infrastructure
All of our services run in the cloud. We do not host or manage our own routers, load-balancers, DNS servers or physical servers. Our platform is built on Amazon Web Services. AWS offers strong security measures and meets many certifications.
Hosting
The Caro platform is built on AWS Lambda, SNS and API Gateway, which are all serverless, so we don't run traditional servers that could potentially be hacked. Our infrastructure is managed with AWS CloudFormation templates and all changes to the infrastructure through our deployment process on GitLab and GitHub.
Network security and monitoring
We use AWS Cloudfront for the API Gateway and our front-end assets to reduce the risk of DDoS attacks.
Data encryption
Encryption during transmission: all data sent to or from our infrastructure is encrypted during transmission through industry best practices using Transport Layer Security (TLS 1.2 or higher).
Encryption for internal application communications: all internal communications are via encrypted SNS topics and permissions for these topics are managed with Cloud Formation templates. API calls are via the REST API with a TLS connection and permissions are managed on a per-call basis.
Encryption at rest: application data is stored in MongoDB Atlas databases, which encrypts all data "at-rest. Authentication data - phone numbers and passwords - are stored in AWS Cognito, which meets the most stringent data security requirements. Logs in CloudWatch are also encrypted on AWS.
Business continuity and disaster recovery
We back up application data and try to restore the backup regularly to ensure rapid recovery in the event of a disaster. All our backups are encrypted and we do multi-regional backups, both in Ireland (every hour) and in Germany (every day).
Caro does not manage a data center or individual servers, so compute and storage failures are handled transparently by AWS and the lowest level disaster that can affect the application is that the entire AWS eu-west-1 region becomes unavailable. This also applies to our database servers hosted through MongoDB.
Application security
Monitoring
We run weekly automated vulnerability scans and do regular sampling with Mozilla Observatory. We do security assessments with a certified party upon request.
We use AWS CloudWatch and X-Ray to monitor, log and track exceptions.
We have automated traffic control mechanisms that analyze all internal application communications, identify errors and attempted security breaches, and notify us in real time.
We collect and retain logs to provide an audit trail of application activity (see audit logs below).
Security in the software development process
All dependencies are checked as part of our automated build process, which will fail if a vulnerability is discovered. Each task is code checked for security issues before being merged, according to security best practices and frameworks (OWASP Top 10, SANS Top 25). We perform quarterly in-depth security assessments on the Caro platform.
You can report vulnerabilities by contacting security@caro.health. Please include a proof of concept with your submission. We will respond as quickly as possible and take no legal action if you comply.
Coverage
* .caro.app
* .caro.health
Exclusions:
caro.health
www.caro.health
Internal security policy
Access to infrastructure
2-factor authentication is required to access our AWS and MongoDB Atlas accounts. Infrastructure in AWS and databases in MongoDB Atlas are accessed using specially created profiles with limited permissions.
Audit registration
The Caro platform stores an immutable, cryptographically verifiable log of all activity on sensitive information assets in AWS QLDB. For quick search of audit logs, we also use MongoDB, which stores logs for up to 90 days. Access to these logs is strictly controlled and they are reviewed regularly.
Access control and multi-tenancy
The Caro application has strict access controls using an action-oriented access control mechanism and a robust multi-tenancy implementation.
Compliance
GDPR
Caro complies with the General Data Protection Regulation (GDPR), including the right to be forgotten and data portability. The goal of GDPR is to protect EU citizens' private information and give them more control over their personal data. We use Vanta to monitor and keep our compliance with GDPR up to date. Feel free to contact us at security@caro.health for more information on how we comply with the AVG, or view our privacy statement.
ISO27001 / NEN7510
Caro has implemented an information security management system (ISMS) and Caro is certified by KIWA according to ISO 27001 and NEN7510 (Dutch standard for the management of information security in healthcare). We use Vanta to monitor and keep our ISMS up-to-date.
