Security & Compliance
Enterprise Security That Passes Your Compliance Review
CareLogix handles protected health information for field operations. We built the security architecture that healthcare IT teams expect, including tenant isolation, encryption, access controls, and audit trails, before writing a single line of business logic.
Architecture
HIPAA-Ready From the Foundation
Security is not a feature we bolted on. It is the foundation the entire platform is built on. Every layer of the stack, from database queries to API endpoints to the user interface, enforces security boundaries.
Tenant Isolation
Every database query is filtered by tenant_id at the infrastructure level. There is no scenario where one customer can access another customer's data. Tenant boundaries are enforced in the data layer, not just the application layer.
Encryption Everywhere
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database connections, API traffic, file storage, and inter-service communication are all encrypted end-to-end.
Role-Based Access Control
12 configurable roles with location-level scoping. A branch manager sees their branches. A dispatcher sees their service area. A technician sees their route. Users only access what they need to do their job.
Complete Audit Trail
Every state change is logged with who made it, what changed, when it happened, and the previous value. Work order status changes, route assignments, patient communications, user logins, permission changes. Everything is recorded and queryable.
BAA Readiness
CareLogix is architected and operated to support Business Associate Agreements. Our infrastructure, access controls, and data handling practices are designed to meet the requirements of HIPAA-covered entities.
PHI Minimization
CareLogix collects and stores only the minimum PHI required for field operations. We do not store full medical records, clinical notes, or insurance claim details. Patient data is scoped to what dispatchers and technicians need to complete a visit.
Compliance Roadmap
SOC 2 Type II on the Roadmap
We are actively working toward SOC 2 Type II certification. Our security controls are already built to SOC 2 standards, and the formal audit process is underway.
HIPAA-ready architecture with tenant isolation and encryption
Role-based access control with location-level scoping
Complete audit logging on all state changes
PHI minimization policies and data handling procedures
BAA-ready operational controls
SOC 2 Type II audit engagement
Annual penetration testing program
FAQ
Security Questions We Expect You to Ask
Is CareLogix HIPAA compliant?
CareLogix is built with HIPAA-ready architecture from the ground up. This includes tenant isolation, encryption at rest and in transit, role-based access control, complete audit logging, and PHI minimization. We are prepared to execute Business Associate Agreements with covered entities.
Where is CareLogix data stored?
All data is stored in U.S.-based cloud infrastructure with encryption at rest. We do not store data outside the United States. Infrastructure is hosted on SOC 2-certified cloud providers.
Can we run a security review before signing?
Absolutely. We expect it. We can provide architecture documentation, complete a security questionnaire, walk through our access controls live, and discuss our SOC 2 roadmap. Our goal is to make your compliance team comfortable before you commit.
How does CareLogix handle data retention and deletion?
Data retention policies are configurable per tenant. When a customer terminates their agreement, all data associated with their tenant is permanently deleted within 30 days, with certification available upon request.
Schedule a Security Walkthrough
We will walk your compliance team through our architecture, access controls, encryption standards, and audit capabilities. Bring your security questionnaire. We are ready for it.