Carelytics ← Back to Login

Security & Trust

Last Updated: April 28, 2026

Carelytics is built for home health agencies that handle Protected Health Information every day. Security isn't a feature we added — it's the foundation everything else is built on. This page describes the controls, architecture, and practices we use to protect your data.

HIPAA Compliance

Business Associate — Privacy Rule, Security Rule, Breach Notification Rule

Carelytics operates as a HIPAA Business Associate under 45 CFR Parts 160 and 164. We implement the full set of required administrative, physical, and technical safeguards defined by the HIPAA Security Rule, and we execute a Business Associate Agreement (BAA) with every Customer before any PHI is processed on the platform.

Privacy Rule

Minimum necessary standard enforced via role-based access controls. PHI never used for secondary purposes.

Security Rule

Administrative, physical, and technical safeguards fully implemented. Annual risk analysis conducted.

Breach Notification

Covered Entities notified within 60 days of breach discovery. Written incident response plan maintained.

Cloud Infrastructure

Microsoft Azure — United States datacenters

Carelytics is hosted entirely on Microsoft Azure in US-based datacenters. Azure is a HIPAA-eligible cloud platform operating under a signed Business Associate Agreement with Carelytics. Azure holds the following compliance certifications relevant to healthcare data:

HIPAA BAA

Eligible

SOC 2 Type II

Microsoft Azure

ISO 27001

Microsoft Azure

FedRAMP

Microsoft Azure

All PHI is stored and processed exclusively within the United States. No data is replicated to international datacenters. Azure's compliance documentation is available at Microsoft's Trust Center.

Encryption

In Transit

  • All traffic between users and Carelytics is encrypted using TLS 1.2 or higher
  • HTTPS enforced on all endpoints — HTTP is redirected automatically
  • HSTS (HTTP Strict Transport Security) headers applied
  • Database connections encrypted in transit (TLS)

At Rest

  • All data stored in Azure PostgreSQL encrypted at rest using AES-256
  • All files and documents in Azure Blob Storage encrypted at rest
  • Database backups encrypted with the same standard
  • Encryption keys managed by Azure Key Vault with access logging

Access Controls

  • Role-Based Access Control (RBAC): Every user is assigned a role that limits access to the minimum PHI necessary for their job function. Roles include Agency Admin, Manager, Scheduler, Skilled Nurse, Therapist, Biller, Payroll, and Read-Only, each with distinct permission sets.
  • Multi-tenant isolation: Customer data is strictly isolated at the database query level. Every query is scoped to the Customer's tenant — it is architecturally impossible for one agency to access another's data.
  • Scope-limited clinician access: Clinicians assigned the "view assigned only" scope can only see patients actively on their schedule, not all agency patients.
  • Automatic session timeout: Inactive sessions are terminated automatically. Sessions use server-side tokens invalidated on logout.
  • Unique user credentials required: Account sharing is prohibited by policy and technically discouraged. Each action in the platform is attributed to a specific user.
  • Carelytics staff access: Carelytics employees do not have standing access to Customer PHI. Access to production data by Carelytics personnel requires documented justification and is logged in the audit trail.

Audit Logging

Every significant action in Carelytics is captured in a tamper-evident audit log. Agency administrators can review their agency's activity log at any time from the Audit & Activity module within the platform.

What's Logged

  • Every login and logout with timestamp and IP address
  • All record creates, updates, deletes, and status changes
  • Clinical documentation actions (create, sign, QA approve/return)
  • Billing and claims actions
  • Data exports and file downloads
  • User account management and role changes
  • Agency settings changes

What Each Log Entry Contains

  • User identity (name, role, email)
  • Timestamp (UTC)
  • IP address
  • Action type and description
  • Affected record (entity type + ID)
  • Before/after values for data changes

Data Backup and Recovery

  • Automated daily backups of all databases, retained for 30 days
  • Backups are encrypted at rest and stored in a geographically separate Azure region
  • Point-in-time restore capability to within 1 hour of any incident
  • Disaster recovery procedures tested periodically; documented Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour
  • Backup restoration is tested quarterly to verify integrity

Platform Availability

Carelytics targets 99.5% uptime per calendar month, excluding scheduled maintenance windows. Maintenance windows are announced at least 48 hours in advance via in-platform banner and email to agency administrators.

99.5%

Target monthly uptime

< 4hr

Recovery Time Objective

< 1hr

Recovery Point Objective

Certifications and Attestations

Certification / Framework Scope Status
HIPAA Security Rule Full platform (Business Associate) Compliant
HIPAA Privacy Rule Full platform (Business Associate) Compliant
HITECH Act Full platform Compliant
SOC 2 Type II Carelytics platform (independent audit) In Progress
SOC 2 Type II — Microsoft Azure Underlying cloud infrastructure Certified
ISO 27001 — Microsoft Azure Underlying cloud infrastructure Certified

SOC 2 Type II audit for Carelytics is in progress. Upon completion, the report will be available to Customers under NDA upon request at hi@carelytic.ai.

Workforce Security

  • All Carelytics employees and contractors complete HIPAA awareness training upon hire and annually
  • Background checks conducted on personnel with access to production systems
  • Production system access is restricted to engineers with documented need; access is reviewed quarterly
  • All Carelytics staff with PHI access sign confidentiality agreements
  • Separation procedures revoke all access within 24 hours of employment termination

Vulnerability Disclosure

If you believe you have found a security vulnerability in the Carelytics platform, please report it to us responsibly. We are committed to working with security researchers to verify and address potential vulnerabilities promptly.

Responsible Disclosure Guidelines

  • Email your findings to hi@carelytic.ai with subject line "Security Vulnerability Report"
  • Provide sufficient detail to reproduce the issue (URL, steps, screenshots, request/response if relevant)
  • Do not access, modify, or delete Customer data beyond what is necessary to demonstrate the vulnerability
  • Do not conduct denial-of-service attacks, automated scanning, or social engineering
  • Give us reasonable time (typically 90 days) to investigate and remediate before public disclosure

What to expect from us:

  • Acknowledgment of your report within 3 business days
  • Regular status updates during investigation
  • Credit in our security acknowledgments page (if desired) for valid, responsibly disclosed vulnerabilities
  • We will not pursue legal action against researchers who follow these guidelines in good faith

Note: Unauthorized penetration testing, automated vulnerability scanning, or attempts to access Customer PHI without authorization are prohibited and may violate the Computer Fraud and Abuse Act (18 U.S.C. §1030) regardless of intent.

Security Contact

Carelytics Inc. — Security Team

Report vulnerabilities or security incidents: hi@carelytic.ai

For vendor security questionnaires, compliance documentation requests, or BAA inquiries, email hi@carelytic.ai with the subject line "Security Questionnaire" or "BAA Request."