CareLumi is committed to protecting your data with enterprise-grade security. Learn about our compliance certifications, security controls, and privacy practices.
CareLumi is an AI-powered credentialing and compliance platform serving outpatient healthcare providers. We automate compliance, staff credentials, facility licenses, and payer enrollment to help healthcare organizations maintain operational continuity and focus on patient care.
Our platform handles Protected Health Information (PHI) and we take our responsibility to protect this sensitive data seriously. Security and compliance are built into every layer of our technology.
Certifications and frameworks we adhere to
CareLumi maintains full HIPAA compliance for handling Protected Health Information. We execute Business Associate Agreements with all customers.
We are pursuing SOC 2 Type II certification to provide independent verification of our security controls and operational practices.
BAAs are available for all customers. Our standard agreement covers all HIPAA requirements for handling PHI on your behalf.
How we protect your data
All data is encrypted at rest using AES-256 encryption. Database storage, file storage, and backups are all encrypted.
All data transmitted between your browser and our servers uses TLS 1.3 encryption. API communications are encrypted end-to-end.
Encryption keys are managed using AWS Key Management Service (KMS) with automatic key rotation and audit logging.
Granular permissions ensure users only access data necessary for their role. Separate permission levels for administrators, managers, and staff.
MFA is available for all accounts and required for administrative access. We support authenticator apps and SMS-based verification.
Enterprise SSO integration available via SAML 2.0 for seamless and secure authentication with your identity provider.
Automatic session timeout after 30 minutes of inactivity. Sessions are invalidated on logout and password change.
CareLumi is hosted on Amazon Web Services (AWS) infrastructure in US-based data centers. AWS maintains SOC 2, ISO 27001, and HIPAA compliance.
Virtual Private Cloud (VPC) isolation, Web Application Firewall (WAF), and DDoS protection via AWS Shield.
Data is replicated across multiple availability zones for high availability. Regular automated backups with point-in-time recovery.
Regular vulnerability scans and penetration testing. Automated security patching for infrastructure components.
Comprehensive audit trails for all data access, modifications, and administrative actions. Logs retained for minimum 1 year.
24/7 automated security monitoring with alerting for suspicious activities. Real-time threat detection and response.
Quarterly access reviews to ensure appropriate permissions. Automated deprovisioning when employees leave.
All employees complete annual HIPAA and security awareness training. Role-specific training for employees handling PHI.
Background checks conducted for all employees with access to customer data and production systems.
All employees acknowledge and adhere to information security policies and acceptable use guidelines.
Third-party vendors are assessed for security practices. Data processing agreements in place with all subprocessors.
Documented incident response procedures for security events. Dedicated incident response team with defined escalation paths.
Customers notified within 72 hours of confirmed security incidents affecting their data, in compliance with HIPAA breach notification requirements.
Disaster recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO).
Security documentation and policies
How we collect, use, and protect your personal information and PHI.
High-level summary of our security controls and practices.
Standard BAA for customers requiring HIPAA compliance coverage.
Terms governing how we process data on your behalf.
Common questions about our security and compliance
Yes, CareLumi maintains full HIPAA compliance. We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule. We execute Business Associate Agreements (BAAs) with all customers who handle PHI through our platform.
All customer data is stored in AWS data centers located in the United States. We use multiple availability zones for redundancy. Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
Yes, we provide BAAs to all customers at no additional cost. Our standard BAA covers all HIPAA requirements. Contact us at security@carelumi.com to request a BAA or discuss custom terms if needed.
We have a documented incident response plan with a dedicated response team. In the event of a security incident affecting customer data, we will notify affected customers within 72 hours as required by HIPAA. We conduct post-incident reviews and implement preventive measures.
Upon account termination, we retain your data for 30 days to allow for data export. After this period, all customer data is securely deleted from our production systems and backups within 90 days. You can request immediate deletion at any time.
Yes, we conduct annual third-party penetration testing by qualified security firms. We also perform regular vulnerability scanning and address identified issues based on severity. Penetration test summaries are available upon request with an NDA.
If you discover a security vulnerability, please report it to security@carelumi.com. We take all reports seriously and will investigate promptly. We ask that you give us reasonable time to address the issue before public disclosure.
