Security at Caro

Caro places great importance on securing the data of our clients and patients. Do you have questions or feedback? Please feel free to contact us at security@caro.health.

Infrastructure

Cloud Infrastructure

All our services operate in the cloud. We do not host or manage our own routers, load balancers, DNS servers or physical servers. Our platform is built on Amazon Web Services. AWS provides robust security measures and complies with many certifications.

Hosting

The Caro platform is built on AWS Lambda, SNS, and API Gateway, all of which are serverless, so we do not run traditional servers that could potentially be hacked. Our infrastructure is managed using AWS CloudFormation templates and all changes to the infrastructure are made through our deployment process on GitLab and GitHub.

Network Security and Monitoring

We use AWS CloudFront for the API Gateway and our front-end assets to reduce the risk of DDoS attacks.

Data Encryption

Encryption during transmission: all data sent to or from our infrastructure is encrypted during transit using industry best practices with Transport Layer Security (TLS 1.2 or higher).

Encryption for internal application communication: all internal communications occur over encrypted SNS topics, and permissions for these topics are managed using CloudFormation templates. API calls go through the REST API with a TLS connection and permissions are managed per call.

Encryption at rest: application data is stored in MongoDB Atlas databases, which encrypt all data ‘at rest’. Authentication data - phone numbers and passwords - is stored in AWS Cognito, which meets the strictest data security requirements. The logs in CloudWatch are also encrypted on AWS.

Business Continuity and Disaster Recovery

We back up application data and regularly attempt to restore the backups to ensure a quick recovery in case of a disaster. All our backups are encrypted and we make multi-regional backups, both in Ireland (every hour) and in Germany (every day).

Caro does not manage a data center or individual servers, so computing and storage failures are transparently handled by AWS, and the disaster at the lowest level that could affect the application is that the entire AWS eu-west-1 region becomes unavailable. This also applies to our database servers which are hosted via MongoDB.

Application Security

Monitoring

We perform automated vulnerability scans weekly and conduct regular sampling with Mozilla Observatory. Security assessments are conducted upon request with a certified party.

We use AWS CloudWatch and X-Ray to monitor, log, and trace exceptions.

We have automated traffic control mechanisms that analyze all internal application communications, identify errors and attempts to breach security, and alert us in real-time.

We collect and retain logs to provide an audit trail of application activity (see audit logging below).

Security in the Software Development Process

All dependencies are checked as part of our automated build process, which will fail if a vulnerability is discovered. Each task is checked for security issues against the code before being merged, according to best practices and security frameworks (OWASP Top 10, SANS Top 25). We conduct quarterly in-depth security assessments on the Caro platform.

You can report vulnerabilities by contacting security@caro.health. Please include a proof of concept with your submission. We will respond as quickly as possible and will not take legal action as long as you adhere to the rules.

Coverage

* .caro.app

* .caro.health

Exclusions:

caro.health

www.caro.health

Internal Security Policy

Access to Infrastructure

2-factor authentication is required for access to our AWS and MongoDB Atlas accounts. Infrastructure in AWS and databases in MongoDB Atlas are accessed using specially created profiles with restricted permissions.

Audit Logging

The Caro platform maintains an immutable, cryptographically verifiable log of all activities on sensitive information assets in AWS QLDB. To facilitate quick searches in the audit logs, we also use MongoDB, which retains logs for a maximum of 90 days. Access to these logs is strictly controlled and they are regularly reviewed.

Access Control and Multi-Tenancy

The Caro application has strict access controls that utilize an action-based access control mechanism and a robust multi-tenancy implementation.

Compliance

GDPR

Caro complies with the General Data Protection Regulation (GDPR), including the right to be forgotten and data portability. The aim of the GDPR is to protect the private information of EU citizens and give them more control over their personal data. We use Vanta to monitor and keep our GDPR compliance up-to-date. Please feel free to contact us at security@caro.health for more information on how we comply with GDPR, or view our privacy policy.

ISO27001 / NEN7510

Caro has implemented an Information Security Management System (ISMS) and has been certified by KIWA according to ISO 27001 and NEN7510 (Dutch standard for managing information security in healthcare). We use Vanta to monitor and keep our ISMS up-to-date.