Trust & Compliance

How we handle the data your agency entrusts to us.

CareBridge is built on HIPAA-aware infrastructure with signed Business Associate Agreements with every vendor that touches Protected Health Information. SOC 2 Type I attestation in progress for Q3 2026, Type II target Q1 2027.

Active

HIPAA Self-Attestation

Documented Security Risk Analysis, Risk Management Plan, Access Control, Workforce Training, Incident Response, Breach Notification, and Disaster Recovery policies on file.

Active

Encrypted in Transit

TLS 1.2/1.3 only, HSTS enforced, modern cipher suites. All connections between your browser, our API, and our database are encrypted end-to-end.

Active

Audit Logging

Every read and write of PHI is logged with timestamp, actor, action, and target. Immutable audit log via cryptographic chaining and WORM storage on Team+ tiers.

Active

Role-Based Access

Admin / staff / readonly roles with per-resource permissions. Demo-mode isolation prevents accidental cross-environment data leaks.

In progress

Encryption at Rest (AES-256-GCM)

Application-layer envelope encryption for SSN and DOB columns via cloud KMS. Database volume encryption included with Team+ hosting tier. Active in production by Q3 2026.

In progress

SOC 2 Type I Attestation

Audit engagement scheduled. Vanta-managed evidence collection. Report expected Q3 2026. Type II observation window begins immediately after.

Roadmap

SOC 2 Type II

Target Q1 2027. Requires a 3–6 month operating-effectiveness window after Type I. Same auditor, automated evidence pipeline.

Roadmap

HITRUST CSF

Deferred until annual recurring revenue justifies the ~$50K–$100K certification cost. Architecture is HITRUST-mappable from day one.

Vendors That Touch PHI — All Under Signed BAA

Every third party with access to your patient data has signed a HIPAA Business Associate Agreement with us before any data flows. We will not onboard a new PHI-touching vendor without one.

Vendor	What They Process	BAA Status
Amazon Web Services	Compute, database, object storage, encryption keys (KMS), email	Signed via AWS Artifact
Anthropic	Claude API for AI documentation drafting	Signed (Enterprise plan)
OpenAI	Embeddings + text-embedding-3-small for memory recall	Signed (HIPAA-eligible API)
Google Cloud	Gemini API for routing and research	Signed (Workspace BAA)
Microsoft Azure	Cognitive Services (when used)	Auto-included via DPA

Vendors Explicitly NOT Used for PHI

Some commodity providers refuse BAAs or explicitly exclude HIPAA workloads. We will never route your patient data through them — even when their pricing is attractive — and we audit our deployment to verify. Examples: Hostinger (refuses BAA), OpenRouter (no BAA path; used internally only for non-PHI routing), consumer Telegram (covered tools stay inside the workbench).

Technical Safeguards — Mapped to HIPAA Security Rule §164.312

Access Control (§164.312(a)): Postgres Row-Level Security per organization, unique user UUIDs, automatic 15-minute logoff, AES-256-GCM column encryption for SSN/DOB via KMS envelope.
Audit Controls (§164.312(b)): Append-only audit log table + daily export to write-once-read-many storage with cryptographic chain-of-custody.
Integrity (§164.312(c)): SHA-256 checksums on critical clinical records, foreign-key constraints, soft-delete with full audit trail.
Person/Entity Authentication (§164.312(d)): Bcrypt cost factor 12 for passwords, optional TOTP MFA, HIPAA acknowledgment required at signup.
Transmission Security (§164.312(e)): TLS 1.2/1.3 enforced via reverse proxy, HSTS preloaded, internal service mesh on private network.

Our Compliance Roadmap

May 2026

Self-attested HIPAA + signed BAAs

All five PHI-touching vendors under BAA. Internal policies adopted. Customer-facing BAA template published.

Q3 2026

SOC 2 Type I attestation

Vanta-managed evidence collection, A-LIGN audit. Report shared on request to qualified prospects.

Q1 2027

SOC 2 Type II report

Six-month operating-effectiveness observation window completes. Public trust badge.

2027+

HITRUST CSF certification

Triggered by enterprise customer requirements. Architecture is already HITRUST-mappable.

Documents Available on Request

Customer Business Associate Agreement (BAA): standard HHS-derived template, ready for your legal team. Read & download →
Security Risk Analysis Summary: 4-page redacted summary of internal risk assessment, available under NDA.
Incident Response Plan: documented procedures, federal and state-specific breach notification timelines.
SOC 2 Type I Report: shared post-attestation (Q3 2026) under NDA to active and qualified prospects.
Penetration Test Summary: redacted summary of annual third-party testing (post-Q3 2026).

Reporting a Security Concern

If you believe you've found a security vulnerability or suspected breach affecting CareBridge, please email security@cb.infinitebarrz.cloud. We acknowledge within 24 hours and respond per our published Incident Response Plan.

For HIPAA breach reporting timelines and obligations, see the HHS Breach Notification Rule overview.