Trust Center

CareLumi is committed to protecting your data with enterprise-grade security. Here's how we handle compliance, security controls, and privacy.

HIPAA Compliant256-bit EncryptionSOC 2 Type II (2026)

Company information

Company
CareLumi, Inc.
Location
Chicago, Illinois, USA
Industry
Healthcare Compliance Software
Security contact
support@carelumi.com

AI safety and oversight

CARL is a regulated AI engine. It operates with safeguards, expert oversight, and a full audit trail on every decision.

Agentic safeguards

CARL operates with guardrails on every automated action, so credentialing decisions stay within defined, reviewable boundaries.

Technical AI-safety controls

The engine is built and reviewed against AI-safety controls appropriate for a regulated healthcare environment.

Expert review

Credentialing experts evaluate CARL's output and handle the toughest, highest-stakes cases.

Auditability

Every credentialing decision is logged, rule-verified, and reviewable, defensible for committees and auditors.

Regulatory currency

CARL is continuously updated as federal, state, and payer rules change.

Standardization and reliability

One consistent standard across payers and states, because the system gates payment and patient care.

Certifications and frameworks we adhere to

HIPAA

CareLumi maintains full HIPAA compliance. We execute Business Associate Agreements with all customers.

SOC 2 Type I + Type II

Our SOC 2 Type I and Type II certifications provide independent verification of our security controls and operational practices.

Business Associate Agreement

BAAs are available for all customers. Our standard agreement covers all HIPAA requirements.

How we protect your data

Encryption at Rest
All data is encrypted at rest using AES-256 encryption. Database storage, file storage, and backups are all encrypted.
Encryption in Transit
All data between your browser and our servers uses TLS 1.3 encryption. API communications are encrypted end-to-end.
Key Management
Encryption keys are managed using Google Cloud KMS with automatic key rotation and audit logging.
Role-Based Access Control
Granular permissions ensure users only access data necessary for their role, with separate levels for admins, managers, and staff.
Multi-Factor Authentication
MFA is available for all accounts and required for administrative access — authenticator apps and SMS-based verification.
Single Sign-On (SSO)
Enterprise SSO via SAML 2.0 for seamless, secure authentication with your identity provider.
Session Management
Automatic session timeout after 30 minutes of inactivity. Sessions invalidate on logout and password change.
Cloud Hosting
Hosted on GCP in US-based data centers. GCP maintains SOC 2, ISO 27001, and HIPAA compliance.
Network Security
VPC isolation, Web Application Firewall (WAF), and DDoS protection via Google Cloud Armor.
Data Redundancy
Data replicated across multiple availability zones with regular automated backups and point-in-time recovery.
Vulnerability Management
Regular vulnerability scans and penetration testing, with automated security patching for infrastructure.
Audit Logging
Comprehensive audit trails for all data access, modifications, and administrative actions. Logs retained a minimum of 1 year.
Security Monitoring
24/7 automated security monitoring with alerting, real-time threat detection, and response.
Access Reviews
Quarterly access reviews and automated deprovisioning when employees leave.
Security Training
All employees complete annual HIPAA and security awareness training, with role-specific training for those handling sensitive data.
Background Checks
Conducted for all employees with access to customer data and production systems.
Acceptable Use Policy
All employees acknowledge and adhere to information security and acceptable use policies.
Vendor Management
Third-party vendors are assessed for security practices, with data processing agreements in place with all subprocessors.
Incident Response Plan
Documented procedures for security events with a dedicated response team and defined escalation paths.
Breach Notification
Customers notified within 72 hours of confirmed incidents affecting their data, per HIPAA requirements.
Business Continuity
Disaster recovery procedures with defined recovery time and recovery point objectives (RTO / RPO).

Security documentation and policies

Public

Privacy Policy

How we collect, use, and protect your personal information.

View PDF
Public

Master Service Agreement

Our standard MSA governing the terms of service for CareLumi customers.

View PDF
Request Access

Business Associate Agreement

Standard BAA for customers requiring HIPAA compliance coverage.

Request Access
Request Access

Data Processing Agreement

Terms governing how we process data on your behalf.

Request Access
99% monthly uptime

CareLumi commits to 99% monthly uptimefor the platform during your subscription period. "Available" means the platform is accessible and core functionality, provider roster, verification workflows, payer enrollment tracking, and login, is operational. Degraded performance of non-essential features does not constitute unavailability.

How uptime is measured

(Total minutes in month − Downtime minutes) / Total minutes in month × 100

Service credits

If we fail to meet our uptime commitment, you're eligible for service credits applied to your next invoice.

Monthly uptimeService credit
98.0% – 98.99%10% of monthly fee
95.0% – 97.99%20% of monthly fee
Below 95.0%30% of monthly fee

Maximum credit: 30% of your monthly fee per incident month.

How to request credits

  1. Email support@carelumi.com within 60 days of the affected month.
  2. Include your account name and the dates and times of the outage.
  3. We verify and apply credits to your next invoice within 15 business days.

What does not count as downtime

  • Scheduled maintenance announced at least 24 hours in advance via email or our status page.
  • Third-party services outages from cloud providers (GCP), identity providers, or integrations outside our control.
  • Customer-caused issues misconfiguration, exceeding usage limits, or actions that degrade your instance.
  • Force majeure natural disasters, government actions, or other events beyond reasonable control.
  • Beta features any feature explicitly labeled beta or preview.

Our commitment

We monitor our systems 24/7 and communicate proactively when incidents occur, publishing post-incident reviews for significant outages. Service credits are your sole and exclusive remedy for any failure to meet this SLA. This SLA does not modify or replace any other terms in your subscription agreement.

Common questions about our security

Yes. We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule, and execute Business Associate Agreements (BAAs) with all customers.
All customer data is stored in GCP data centers located in the United States, across multiple availability zones for redundancy. Data is encrypted at rest with AES-256 and in transit with TLS 1.3.
Yes — we provide BAAs to all customers at no additional cost. Our standard BAA covers all HIPAA requirements. Contact support@carelumi.com to request one or discuss custom terms.
We maintain a documented incident response plan with a dedicated team. For incidents affecting customer data, we notify affected customers within 72 hours as required by HIPAA, and conduct post-incident reviews.
We retain your data for 30 days to allow export. After that, all customer data is securely deleted from production systems and backups within 90 days. Immediate deletion can be requested at any time.
Yes — annual third-party penetration testing by qualified security firms, plus regular vulnerability scanning. Penetration test summaries are available upon request with an NDA.
Report it to support@carelumi.com. We investigate all reports promptly and ask for reasonable time to address issues before public disclosure.