CRMO Care - Security & Data Protection

Overview

CRMO Care is committed to protecting your personal health information (PHI). While we are not a HIPAA-covered entity, we voluntarily implement HIPAA-aligned security safeguards to ensure your data is protected with industry-leading practices.

Our platform is designed to support multiple chronic conditions (CRMO, JIA, IBD, and others) with disease-agnostic data models and condition-specific extensions. Privacy and security controls remain consistent across all supported conditions, with condition-specific data validated against clinical requirements.

Technical Safeguards

1.1 Encryption

Data in Transit:

• All data transmitted between your device and our servers uses TLS 1.3 encryption
• API endpoints enforce HTTPS exclusively
• Certificate pinning on mobile applications
• No downgrade to unencrypted connections permitted

Data at Rest:

• Database encryption using AES-256 encryption
• File storage (voice recordings, documents) encrypted at rest
• Encrypted backups with separate encryption keys
• Key management through secure key management services

1.2 Access Controls

User Authentication:

• Multi-factor authentication (MFA) available for all accounts; required for sensitive operations
• Minimum 8 characters with complexity requirements for passwords
• Automatic session timeout after periods of inactivity
• Support for Apple Sign-In and Google Sign-In with OAuth 2.0

Role-Based Access Control:

• Caregiver: Full access to dependent's health records
• Teen/Self-managing patients: Access to own records only
• Clinician: Access only to explicitly shared patient data
• Admin: De-identified data views only (no direct PHI access)
• Researcher: Aggregate and de-identified data only

All roles follow the principle of least privilege. Admin and research tools operate primarily on de-identified views, not live PHI.

1.3 Audit Controls

Comprehensive Logging:

• All data access and modifications logged with tamper-proof audit trails
• Administrative actions tracked and reviewed regularly
• Retention of audit logs for minimum of 7 years
• Regular review of access logs for suspicious activity
• Structured, machine-parseable log format for automated analysis

PHI-Free Logging:

• Application logs contain only user IDs, child IDs, session IDs, and metadata
• No PHI in logs: never names, dates of birth, symptoms, medications, or clinical notes
• Error tracking (Sentry) configured with PHI scrubbing—no health data in error messages, tags, or breadcrumbs
• Voice recordings and transcripts never stored in non-BAA-covered analytics tools

1.4 Network Security

• Firewall protection on all network perimeters
• Intrusion detection and prevention systems (IDS/IPS)
• DDoS protection and rate limiting
• Regular vulnerability scanning and penetration testing
• Network segmentation to isolate sensitive data

1.5 Secure Development

• Security-first development lifecycle
• Code review and static analysis for security vulnerabilities
• Dependency scanning for known vulnerabilities
• Regular security updates and patch management
• Secure coding standards and training for developers

Database Migration Security:

• All database changes deployed via version-controlled migrations
• Migrations tested in staging before production deployment
• Rollback procedures documented and tested
• No direct production database modifications

1.6 Row-Level Security (RLS)

Database-level access controls enforce complete data isolation between users:

• Row-Level Security policies enforce data isolation at the database level
• Every query automatically filtered by user_id and child_id
• No user can access another user's health data, even if they guess the ID
• RLS policies independently tested from "unauthorized user" perspective
• Database queries fail-closed (deny by default) if RLS is misconfigured
• RLS applies to all tables containing PHI or user-specific data

1.7 Voice Data Processing

Special safeguards for voice journal feature:

• Voice recordings encrypted in transit and at rest
• Transcription through HIPAA-eligible providers with BAAs only
• Voice recordings retained per user preference (can be deleted on request)
• Transcription quality validation before clinical use
• Structured data extraction with fallback to free-text if AI processing fails
• Users can review, edit, and correct all AI-extracted data before saving
• No voice recordings or transcripts sent to non-BAA-covered services

Administrative Safeguards

2.1 Security Management

• Risk Assessments: Annual comprehensive security risk assessments
• Security Policies: Written security policies and procedures
• Incident Response Plan: Documented procedures for security incidents
• Disaster Recovery: Business continuity and disaster recovery plans
• Regular Reviews: Quarterly review and updates of security measures

2.2 Workforce Security

• Background Checks: Background screening for all employees with PHI access
• Security Training: Annual security and privacy training required
• Access Authorization: Formal authorization procedures for system access
• Access Termination: Immediate revocation of access upon termination
• Confidentiality Agreements: All workforce members sign confidentiality agreements

2.3 Third-Party Management

We carefully vet all service providers who may have access to your data:

• Vendor Assessments: Security assessment before engagement
• Contracts: Business Associate Agreements (BAAs) or equivalent where applicable
• Ongoing Monitoring: Regular review of vendor security practices
• Data Processing Agreements: Explicit limitations on data use and sharing

Our Key Service Providers:

• Supabase: Database hosting, authentication, file storage (U.S.-based, SOC 2 Type II certified)
• OpenAI: Voice transcription and AI processing (Business Associate Agreement in place for HIPAA compliance)
• Sentry: Error tracking (PHI scrubbed before transmission)

AI Processing Safeguards:

• Business Associate Agreement (BAA) in place with OpenAI for HIPAA compliance
• Minimal necessary PHI principle applied to all AI prompts (IDs and metadata only, not full names/DOB)
• Voice transcription processed through BAA-covered endpoints only
• AI processing logs contain no PHI (only request IDs, latency, and error codes)
• User review and editing required before any AI-structured data is saved
• Voice recordings and transcripts never stored in non-BAA-covered analytics tools

2.4 Environment Controls

Separate infrastructure for development, staging, and production:

• Development and staging environments use only synthetic or anonymized data
• No real PHI ever used for testing, development, or demos
• Database schema changes deployed via tested migrations with rollback capability
• Sandbox endpoints for AI, payment, and email services in non-production environments
• Strict network separation between production and non-production systems
• Production database credentials never used in development or staging

Physical Safeguards

3.1 Infrastructure Security

• Data Center Security: Our cloud infrastructure providers maintain SOC 2 Type II certified data centers
• Physical Access Controls: Biometric access, 24/7 surveillance, and security personnel
• Environmental Controls: Fire suppression, climate control, and power redundancy
• U.S.-Based Hosting: All production data hosted in U.S. data centers
• Geographic Redundancy: Multi-region backup and failover capabilities

3.2 Device Security

• Encrypted hard drives on all company devices
• Remote wipe capabilities for lost or stolen devices
• Automatic screen locking after inactivity
• Prohibition of PHI storage on personal devices

Data Protection Practices

4.1 Data Minimization

We collect only the minimum data necessary to provide our services. We do not collect:

• Advertising identifiers
• Precise location data (unless explicitly enabled)
• Social security numbers or financial information
• Unnecessary demographic data

4.2 Data Retention

• Data retained only as long as necessary for service provision
• Voice recordings retained until user requests deletion or account closure
• Transcripts retained according to user preferences and can be deleted at any time
• Users can delete voice recordings at any time from their account settings
• Account data deleted within 30 days of account closure
• Backups purged within 90 days of deletion
• Audit logs retained for 7 years for security and compliance purposes

4.3 Data Integrity

• Regular database integrity checks
• Backup verification and testing
• Version control for all data modifications
• User ability to review, edit, and delete their data

4.4 Research Participation (Optional)

If you opt into the CRMO Research Databank, CRMO Care supports two distinct research pathways with different data handling:

Clinical Trial Participation (Pathway A):

CRMO Care may support clinical trials that require:

• Coded participant identifiers (subject IDs) rather than full de-identification
• Secure re-identification key database maintained by CRMO Care
• Access to keys limited to: Data Governance Officer, approved Principal Investigators with documented justification, and safety monitoring personnel
• All key access logged with timestamp, purpose, and approver to immutable audit trail
• ICH GCP Subject Identification Code List principles
• Trial-specific informed consent required beyond general consent
• Protocol-specific data retention (typically 2-25 years post-trial)
• Support for: safety reporting, adverse event follow-up, protocol deviations, monitoring/audits

Re-identification Key Security:

• Keys stored in separate, encrypted database table with row-level security
• Multi-factor authentication required for any key access
• Annual third-party security audit of key management system
• Keys never transmitted to external trial sponsors
• Re-linkage operations performed only within CRMO Care's secure environment

General Research Data Sharing (Pathway B):

For observational and epidemiological research:

Research Data Architecture:

• Clinical and research data stored in separate database projects
• Automated, auditable de-identification process
• Batch ETL processes (not real-time) transfer de-identified data to research database
• Research API rate limiting per institutional customer
• Consent verification before inclusion in research datasets

HIPAA Safe Harbor De-identification:

• Removal of all 18 HIPAA identifiers (names, dates, IDs, etc.)
• k-anonymity enforcement: Minimum cohort size required before data export
• No re-identification capability exists for this pathway
• Aggregate reporting to prevent individual identification
• Independent expert determination where appropriate

See Beta User Agreement (Version 2.6, Section 12) and Research Databank Proposal for complete details on research pathways.

Mobile Application Security

5.1 App Security Features

• Biometric Authentication: Face ID, Touch ID, and fingerprint support
• Secure Storage: iOS Keychain and Android Keystore for credential storage
• Certificate Pinning: Prevention of man-in-the-middle attacks
• Code Obfuscation: Protection against reverse engineering
• Jailbreak Detection: Warning on compromised devices

Secure Deep Link Handling:

• Deep links validate authentication and authorization before granting access
• No sensitive IDs exposed in URLs that could bypass authentication
• Session tokens required for all authenticated deep links

Key Management:

• Elevated database keys never included in client applications
• Public/anonymous keys only in mobile apps
• Service role keys restricted to secure backend and serverless functions
• API keys rotated regularly and never committed to version control

5.2 Data on Device

• Minimal data caching on device
• Encrypted local storage when caching is necessary
• Automatic cache clearing on logout
• No PHI stored in device logs or crash reports

Security Incident & Breach Response

6.1 Incident Detection

• 24/7 automated monitoring and alerting
• Intrusion detection systems
• Anomaly detection for unusual access patterns
• User reporting mechanisms for security concerns

6.2 Incident Response

In the event of a security incident, we will:

• Immediate Action: Contain and mitigate the incident within 24 hours
• Investigation: Conduct thorough investigation to determine scope and impact
• Notification: Notify affected users within 72 hours if PHI is compromised
• Clinical Trial Notification: If breach affects clinical trial participants, notify Principal Investigator and sponsor per trial-specific protocol within 24 hours
• Remediation: Implement corrective measures to prevent recurrence
• Documentation: Maintain detailed incident logs and lessons learned

6.3 Breach Notification

If we discover a breach affecting your data, we will notify you via:

• Email to your registered address
• In-app notification
• Notice on our website (if affecting 500+ users)

The notification will include:

• Description of the incident
• Types of information involved
• Steps we are taking
• Steps you can take to protect yourself
• Contact information for questions

Your Security Responsibilities

While we implement comprehensive security measures, you also play a critical role in protecting your data:

7.1 Account Security

• Strong Passwords: Use unique, complex passwords
• Enable MFA: Turn on multi-factor authentication
• Keep Credentials Private: Never share your password or login information
• Secure Your Device: Use device passcodes and biometric locks
• Update Regularly: Keep your app and device OS up to date

7.2 Safe Practices

• Log out when using shared devices
• Be cautious of phishing emails or suspicious messages
• Verify you're on the official CRMO Care app or website
• Report suspicious activity immediately
• Review your account activity regularly

7.3 Reporting Security Concerns

If you suspect a security issue, please contact us immediately:

• Email: security@crmo-care.app
• Support: info@crmo-care.app
• Response Time: We will acknowledge within 24 hours

Compliance & Standards

8.1 HIPAA Alignment

While CRMO Care is not a HIPAA-covered entity, we voluntarily implement technical, administrative, and physical safeguards that align with HIPAA Security Rule requirements, including:

• 45 CFR § 164.308 - Administrative Safeguards
• 45 CFR § 164.310 - Physical Safeguards
• 45 CFR § 164.312 - Technical Safeguards
• 45 CFR § 164.316 - Policies, Procedures, and Documentation

8.2 Industry Standards

We follow industry best practices including:

• NIST Cybersecurity Framework: Risk management and security controls
• OWASP Top 10: Protection against common web vulnerabilities
• SOC 2: Infrastructure providers are SOC 2 Type II certified
• ISO 27001: Information security management principles

8.3 State Privacy Laws

We comply with applicable state privacy laws, including California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and other state-specific requirements.

Updates to This Security Page

We may update this Security page as we enhance our security measures or in response to changing legal requirements. We will notify you of material changes via:

• Email notification
• In-app notification
• Notice on our website

The "Last Updated" date at the top of this page indicates when changes were last made.

Questions or Concerns?

If you have questions about our security practices or wish to report a security concern:

Security Issues: security@crmo-care.app

General Inquiries: info@crmo-care.app

Privacy Questions: See our Privacy Policy

We take all security concerns seriously and will respond promptly to your inquiries.