HIPAA-Compliant Security
You Can Trust
Protecting patient data is not optional in home care. CareStack is built from the ground up with enterprise-grade security, so you can focus on delivering care -- not worrying about compliance.
SOC 2 Type II
In Progress
HIPAA Compliant
Verified
BAA Provided
Every Customer
AES-256
Encryption
Enterprise-Grade Security Features
Every layer of CareStack is designed to protect sensitive health information and keep your agency compliant.
AES-256 Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Your patient data is never stored in plaintext.
Role-Based Access Control
Row-level security (RLS) ensures users only access data they are authorized to see. Granular permissions for every role.
Comprehensive Audit Logging
Every action is logged with timestamps, user IDs, and IP addresses. Full audit trails for compliance reviews.
PHI Access Tracking
All access to Protected Health Information is tracked and reportable. Know exactly who viewed what and when.
Automatic Session Management
Sessions expire after inactivity, with configurable timeout policies. Automatic logout protects unattended workstations.
Business Associate Agreement
We sign a BAA with every customer before any PHI is processed. No exceptions, no extra fees.
AI Security Monitor
Real-time PHI access anomaly detection. AI analyzes access patterns every 5 minutes — flags bulk data access, off-hours activity, geographic anomalies, credential stuffing, and dormant accounts. Push + email alerts to admins instantly.
Data Backup & Disaster Recovery
Automated daily backups with point-in-time recovery. Geo-redundant storage ensures data survives regional outages.
HIPAA Compliance Built In
CareStack implements all three categories of HIPAA safeguards to ensure your patient data meets the highest standards of protection.
Administrative Safeguards
- Designated Security Officer and Privacy Officer
- Workforce training on HIPAA policies and procedures
- Risk analysis and management program
- Incident response and breach notification process
- Business Associate Agreements with all subprocessors
- Regular policy reviews and updates
Physical Safeguards
- SOC 2 certified data centers with 24/7 monitoring
- Biometric access controls at all facilities
- Environmental controls (fire, flood, temperature)
- Secure media disposal and sanitization
- Visitor logs and escort policies
- Redundant power and network connectivity
Technical Safeguards
- AES-256 encryption at rest and TLS 1.3 in transit
- Multi-factor authentication (MFA) support
- Role-based access control with row-level security
- Automatic session timeout and re-authentication
- Integrity controls and tamper-evident audit logs
- Emergency access procedures for break-glass scenarios
How Your Data Stays Protected
From the moment data enters CareStack to every time it is accessed or transmitted, multiple layers of security ensure it remains confidential and intact.
Encrypted in Transit
All API requests use TLS 1.3 encryption. Data never travels unprotected between your browser and our servers.
Authenticated & Authorized
Every request is authenticated via secure tokens. Row-level security policies verify the user has permission for the specific data requested.
Encrypted at Rest
Data is stored with AES-256 encryption. Database backups are encrypted with separate keys managed through a secure key management service.
Logged & Auditable
Every data access event is logged with user identity, timestamp, IP address, and action taken. Logs are immutable and retained for compliance.
Business Associate Agreement
Included with every plan
We Sign a BAA with Every Customer
A Business Associate Agreement is not just a legal formality -- it is a commitment. CareStack signs a BAA with every customer before any Protected Health Information enters our platform.
Our BAA covers all CareStack modules, our infrastructure providers, and any subprocessors involved in handling your data. It is included at no additional cost on every plan.
Need a BAA before getting started? Contact our sales team and we will have one ready for signature within 24 hours.
Your Data Belongs to You
CareStack is a tool for your agency — not a data trap. Your client records, caregiver profiles, shift history, billing data, and care plans are your property. If you ever decide to leave, you take everything with you.
For caregivers, your portable profile — shift history, ratings, certifications, and training records — belongs to you and follows you across every agency you work with.
Full Data Export
Export all your data as JSON at any time from Settings. Clients, caregivers, shifts, billing, care plans — everything.
Right to Deletion
Request complete data anonymization and deletion via our DSAR portal. We comply within 30 days per HIPAA requirements.
Caregiver Data Portability
Caregivers own their profile data. Shift history, ratings, and certifications travel with them — no agency lock-in.
No Data Hostage
We never hold your data to prevent you from leaving. No export fees, no waiting periods, no artificial barriers.
Data Subject Access Request
DSAR portal available at Settings > Data Requests
Security You Can Count On
Start your free 14-day trial with full HIPAA-compliant security from day one. No credit card required.