Security Practices
Our Commitment to Security
At myCARI, protecting your health information is our top priority. We employ industry-leading security measures to ensure your data remains private and secure. As a healthcare application handling Protected Health Information (PHI), we implement security controls that meet or exceed HIPAA requirements.
Compliance Framework
| Standard | Status | Description |
|---|---|---|
| HIPAA | Implemented | Security controls aligned with HIPAA requirements; BAA signed with GCP |
| SOC 2 Type II | Via Infrastructure | GCP infrastructure is SOC 2 certified |
| GDPR | Implemented | Data protection practices aligned with GDPR |
| CCPA | Implemented | California Consumer Privacy Act requirements addressed |
Technical Security Measures
Encryption
| Layer | Technology | Details |
|---|---|---|
| In Transit | TLS 1.3 | All network communications use the latest TLS encryption |
| At Rest | AES-256 | All stored health data encrypted with industry-standard encryption |
| Key Management | Google Cloud KMS | Automatic key rotation, hardware security modules |
| End-to-End | Curve25519 + AES-256-GCM | Care team messages encrypted on-device before transmission |
End-to-End Messaging Encryption
Care team messages are protected with true end-to-end encryption:
- Messages are encrypted on your device before being sent
- Only the sender and intended recipients can decrypt messages
- The server only stores encrypted data - it cannot read your messages
- Conversation previews show "Encrypted message" to protect content
- Each recipient receives a uniquely encrypted copy using their public key
Authentication
| Feature | Implementation |
|---|---|
| Biometric Login | Face ID and Touch ID support (recommended) |
| Social Sign-In | Apple Sign-In, Google Sign-In available |
| Session Management | Token-based sessions with automatic expiration |
| Brute Force Protection | Rate limiting and account protection mechanisms |
Infrastructure Security
| Component | Details |
|---|---|
| Cloud Provider | Google Cloud Platform (HIPAA BAA signed) |
| Data Centers | GCP SOC 2 certified data centers, US-based |
| Web Application Firewall | Cloud Armor with OWASP rule sets, DDoS protection |
| Database | Cloud SQL with AES-256 encryption, private IP connectivity |
| Secrets Management | Google Secret Manager for all credentials |
Data Isolation and Multi-Tenancy
myCARI implements strict data isolation to ensure user data cannot be accessed by other users:
| Feature | Implementation |
|---|---|
| Container Isolation | Each user's health data stored in isolated containers |
| Database Separation | User data partitioned with row-level security |
| Care Team Access | Permission-based access with full audit logging |
| Professional Mode | Professional caregivers have separate audit trails |
Audit Logging
We maintain comprehensive audit logs of all security-relevant activities:
| Event Type | Details Logged |
|---|---|
| Authentication | Login attempts, logouts, password changes |
| Data Access | All access to health information |
| Data Modifications | Changes to health records, medications, vitals |
| Care Team Actions | Member additions, removals, permission changes |
| API Access | All API calls with timestamps and results |
Retention: Audit logs are retained for 6 years per HIPAA requirements. Logs cannot be modified after creation.
Your Role in Security
To help keep your health data secure:
| Practice | Why It Matters |
|---|---|
| Use a strong password | Prevents unauthorized account access |
| Enable Face ID/Touch ID | Adds biometric layer of protection |
| Keep your iPhone updated | Security patches protect against vulnerabilities |
| Keep myCARI updated | App updates include security improvements |
| Don't share your login | Your credentials are for your use only |
| Review care team access | Periodically verify who has access to your data |
Reporting Security Issues
If you discover a security vulnerability:
Email: security@mlpipes.ai
Guidelines:
- Provide detailed information about the vulnerability
- Do not publicly disclose until we've addressed it
- We appreciate responsible disclosure
We do not pursue legal action against security researchers who act in good faith, avoid accessing others' data, and give us reasonable time to respond.
Questions?
- Security Team: security@mlpipes.ai
- Privacy Team: privacy@mlpipes.ai
- General Support: support@mlpipes.ai
Address:
MLPipes LLC
5725 S Valley View Blvd Ste 5 PMB 471045
Las Vegas, Nevada 89118-3122 US