Trust Center

Security & compliance, engineered for healthcare.

Patient data lives at the center of everything CareCo touches. We run a HIPAA-aligned compliance program with a documented Information Security Program, signed BAAs, annual independent risk assessments, and the contracts healthcare teams expect.

security@careco.ai

Posture at a glance

  • HIPAABAA signatory
  • Information Security ProgramReviewed annually
  • Incident Response PlanDocumented & exercised
  • Independent assessmentAnnual, third-party

Healthcare teams already on CareCo

  • American Choice Healthcare
  • Axil Health
  • CareMed Group
  • Holisticare
  • Lynk Health

Compliance posture

The control matrix.

Every control below is owned, documented, and on a recurring review cycle. Status and cadence reflect what is in place today.

  • HIPAA / Business Associate Agreement

    Active

    HIPAA-aligned Business Associate. A BAA is signed with every customer that handles Protected Health Information.

    Per customer

  • Information Security Program

    Active

    Documented ISP covering policies, employee responsibilities, and ongoing risk management, maintained with an independent third-party security partner.

    Reviewed annually

  • Incident Response Plan

    Active

    Documented triage, containment, and customer-notification commitments tied to your BAA and applicable law.

    Exercised annually

  • Independent security risk assessment

    Active

    Full security risk assessment with a third-party GRC partner. Findings drive the remediation roadmap and feed back into the ISP.

    Annual

  • Vulnerability scanning

    Active

    Vulnerability scans of the CareCo environment. Findings are tracked to remediation under the ISP.

    Annual

  • Workforce security training

    Active

    Security awareness and HIPAA training plus ongoing phishing simulations. Completion is tracked and reviewed.

    Annual + ongoing

  • Dark-web credential monitoring

    Active

    Scanning for CareCo credential and email exposure. Flagged accounts trigger an immediate password reset and access review.

    Continuous

  • SOC 2 Type II

    Planned

    On our roadmap. We will publish progress here when we engage an auditor.

    Roadmap

  • HITRUST

    Planned

    On our roadmap. We will publish progress here when we engage an auditor.

    Roadmap

Data handling

What happens to your data.

Where it lives, how it’s isolated, and what we log.

Data residency

US-region

Production application and AI processing run in US-region cloud infrastructure (US East / US Central). PHI does not leave the United States in normal operation.

AI subprocessors

No training on your data

The AI services in our pipeline are contractually bound not to train on or retain the inputs we send them. CareCo's own use of customer data is governed by your BAA and license agreement. We use it to operate, support, and improve the platform, and any analytics we derive for product improvement are aggregated and de-identified.

Encryption in transit

HTTPS enforced

All HTTP traffic is forced to HTTPS at the edge across every environment. Public CareCo endpoints terminate TLS at our managed hosting layer.

Tenant isolation

Enforced at the data layer

Each customer's data is logically separated and access is enforced at the data layer, independent of application code. This ensures one customer can never access another's data, even in the event of an application-level error.

Audit logging

DB-level, every PHI write

A database-level trigger captures every insert, update, and delete on patient data, recording the actor, timestamp, and full record state. Logs feed the incident response process.

Subprocessors

The categories of vendors in the data path.

  • Cloud hosting & databasePrimary application hosting and the production database.
  • AI & voice servicesTranscription, clinical drafting, and voice. These providers are contractually bound not to train on or retain the inputs we send them.
  • TelephonyInbound and outbound calling.
  • Transactional emailSystem and account email. No marketing or advertising email.
  • Error trackingApplication error and performance monitoring.
  • In-app supportCustomer support messaging inside the product.

Named providers, their regions, and BAA status are available under NDA. Email security@careco.ai for the current detailed list.

Our principles

No fine print.

The healthcare industry runs on fine print. Ours, in plain language: we sign a Business Associate Agreement before any PHI moves. We don’t sell your data, and we don’t share or syndicate identifiable customer data with third parties for advertising.

The AI services in our pipeline are contractually barred from training on or retaining your inputs. Any analytics we derive to improve the product are aggregated and de‑identified. And security here is a recurring cycle, not a one‑time exercise — every control above is owned and on a review schedule.

For procurement

Answers for your security team.

The questions enterprise security teams ask before signing — and how to reach us for everything else.

Get in touch

Request a BAA

We sign a Business Associate Agreement with every customer that processes PHI. Ask for our template, or send us yours for review.

Security review or questionnaire

Documented controls, our security questionnaire, and a live walkthrough — available to procurement teams under NDA.

Report a vulnerability

Found a security issue? We accept responsible disclosures and aim to acknowledge within one business day.

Book a call

Walk through security, deployment, and your specific requirements with our team.