Trust & Security
Your family's data deserves the highest level of protection. Here's how we deliver it.
Industry-Leading Security Standards
We partner with vendors who meet the highest security certifications in the industry. These aren't marketing badges — they're audited, verified compliance frameworks.
HIPAA
Full compliance with the Health Insurance Portability and Accountability Act. Privacy Rule, Security Rule, and Breach Notification Rule.
HITRUST
Our voice and communications partner RingCentral holds HITRUST CSF certification — the gold standard for healthcare information security.
SOC 2 Type 2
RingCentral's SOC 2+HIPAA report validates controls for security, availability, processing integrity, confidentiality, and privacy.
ISO 27001
RingCentral maintains ISO/IEC 27001 certification for information security management systems, audited annually.
AES-256 Encryption
All data at rest is encrypted with AES-256. Database backups are encrypted before offsite storage. Financial fields use additional Fernet encryption.
TLS 1.3
All data in transit is protected by TLS 1.3 via Cloudflare. HSTS enforced. No plaintext HTTP connections.
How We Protect Your Data
Security is not a feature we add — it's how we build everything. From encrypted backups to audit trails, every system is designed with protection first.
HIPAA Compliance Program
Colorado CareAssist is a HIPAA-covered entity. We maintain a comprehensive compliance program that includes workforce training, regular risk assessments, incident response procedures, and ongoing monitoring. Our compliance is built into every system — not bolted on after the fact.
Business Associate Agreements
We have signed BAAs with every vendor that touches protected health information: Google Cloud (Vertex AI, Drive, Gmail), WellSky (EHR), RingCentral (HIPAA + HITRUST + SOC 2+HIPAA certified), Retell AI (HIPAA-compliant voice agents), and EBizCharge (payment processing). We do not use vendors who cannot sign a BAA for PHI-handling services.
Access Controls & Authentication
Role-based access control across all systems. Google OAuth 2.0 with domain restriction for staff. Client portal scoped per-user — families see only their own data. Session tokens expire after 24 hours. Magic links expire after 7 days. Multi-factor authentication required for administrative access. Failed login attempts are logged and rate-limited.
Audit Logging
Every access to PHI is logged: who, what, when. All client record changes capture full before-and-after snapshots in dedicated audit tables. Document views, downloads, and exports are tracked. Login attempts (successful and failed) are recorded. PostgreSQL logs all DML statements. Audit logs are retained for a minimum of 7 years.
Data Retention & Disposal
Automated retention policies enforced by scheduled processes: client records 7 years (Colorado requirement), operational logs 90 days to 2 years, AI conversation transcripts 7 days. Data exceeding retention periods is automatically purged. We follow secure disposal practices for all PHI.
Backup & Recovery
Daily encrypted backups of all databases (PostgreSQL, MongoDB) and signed documents. AES-256 encryption applied before offsite storage to Google Drive. Weekly backup verification with automated restore testing. 7-day local retention, unlimited cloud retention. All backup infrastructure monitored with automated alerting.
AI & Gigi Security
Our AI assistant Gigi runs on Google Vertex AI (covered under Google Cloud BAA). Voice calls are processed through Retell AI (HIPAA BAA signed). Gigi verifies caller identity before sharing any client information. Conversation transcripts are retained for 7 days then automatically purged. Simulation testing is isolated from production data — side-effect tools are blocked during testing to prevent accidental data exposure.
Network & Infrastructure
All services are behind Cloudflare's WAF and DDoS protection via encrypted tunnel. Services bind to localhost only — nothing is directly exposed to the internet. HSTS enforced on all domains. Content Security Policy headers configured. Disk encryption enabled via FileVault. No plaintext credentials in source code.
Most Home Care Agencies Don't Do This
We're a locally owned agency, not a tech company. But we believe your family's data deserves enterprise-grade protection. That's why we built HIPAA compliance, encrypted backups, audit logging, and AI safety controls into every system — from day one. Ask your current agency about their BAA inventory, encryption practices, and audit trail. We think you'll see the difference.
[email protected]Questions about our security practices? We're happy to walk you through every detail.
Take the Next Step
Your Family's Data Is Safe With Us
Contact us to learn more about our security practices or to request a Business Associate Agreement.