CareApp treats the security and privacy of customer data with the utmost importance. We are committed to securing customer data and ensuring continuity of access. We use a variety of industry-standard services and technologies to protect customer data from unauthorised access, disclosure, and loss.

Security is directed by CareApp’s Chief Technology Officer and maintained by CareApp’s operations team.

Infrastructure & Network Security

Physical Access Control

CareApp is hosted on Amazon Web Services (AWS). AWS implements extensive security controls to safeguard their data centres. More information can be found at:

https://aws.amazon.com/compliance/data-center/controls/

CareApp employees and representatives do not have access to AWS data centres, servers, network equipment or storage.

Logical Access Control

CareApp is the assigned administrator of its infrastructure on AWS, and only designated authorised CareApp team members have access to configure the infrastructure. This access is given on an as-needed basis behind a two-factor authenticated virtual private network.

Third-Party Audit

CareApp undertakes regular security audits and testing conducted by an independent third-party agency. For testing, CareApp provides the agency with an isolated clone of our infrastructure and a high-level diagram of application architecture. No customer data is exposed to the agency through security testing.

Information about any security vulnerabilities discovered during testing is used to set mitigation and remediation priorities.

Intrusion Detection & Prevention

CareApp makes use of AWS’s intrusion detection and prevention systems, relying on both signature and algorithm based security to identify traffic patterns that are similar to known attack methods.

Business Continuity & Disaster Recovery

CareApp customer data is stored in multiple Availability Zones in a specific AWS region, depending on local data housing/sovereignty laws. For example, an Australian customer’s data is stored in AWS Sydney. CareApp makes use of Availability Zones within a region to ensure high availability of the CareApp service.

High Availability

Every part of the CareApp service uses properly provisioned, redundant servers in the case of failure. This includes (but is not limited to):

• Load balancers
• Web services
• Databases

Redundant resources are hosted in multiple AWS availability zones to prevent outages in the case of failures in one Availability Zone.

Disaster Recovery

In the event of a major outage impacting the AWS data centres CareApp operates in, CareApp will bring up a duplicate environment in different, operational zones and migrate data following our Disaster Recovery Procedures. 

Data Security and Privacy

Encryption In Transit

All communication between CareApp’s servers and application clients is performed using industry standard HTTPS, we restrict encryption schemes to TLS 1.2 and strong encryption ciphers.

CareApp’s latest SSL Labs Report can be found here.

Encryption At Rest

All data in CareApp systems is encrypted at rest, including CareApp’s production databases and files uploaded to CareApp (images, documents, etc). AWS stores and manages cryptography keys in its Key Management Service.

API Authentication

CareApp’s REST API uses authentication tokens for authentication. Authentication tokens are passed using the Authentication header and are used to authenticate a user account with the API.

File Access

Access to files uploaded to CareApp (images, video, documents, etc) is controlled by the API. Clients request access to a file, and the API authorises this request based on user permissions and file ownership. Clients access files on AWS S3 storage using short-lived presigned URLs generated by the API, which are unique for each user.

Email Security

CareApp’s service includes email notifications of events. We implement the following protocols to prevent email address spoofing and minimise spam:

• Sender Policy Framework (SPF)
• Domain Keys Identified Mail (DKIM)
• Domain-based Message Authentication, Reporting and Conformance (DMARC)

User Access

Membership within CareApp is handled at the organisation level. CareApp has been designed so each user has a single account that can be used across multiple organisations. Each CareApp user should have their own account and can choose their own personal preferences and notification settings.

Access to organisations is dictated by role:

• Administrator
• Coordinator
• Team Member
• Family
• Customer

Administrators can view and update organisation membership, including users, email, membership status and role. Administrators can revoke access for users as required.

Reliability

CareApp works hard to ensure our platform is reliable. CareApp's Service Level Agreements dictate service uptime and support response guarantees. We publish our status at:

https://careapp.statuspage.io

IT Administrators can subscribe to updates to be notified of service interruptions.

As part of our Continuous Improvement process, we publish descriptions of outages and remediation/prevention tasks at the conclusion of incidents.