Security & Data Protection

Your health data deserves the highest level of protection. We implement HIPAA-aligned security measures to keep your information safe.

This Security page describes the technical, administrative, and physical safeguards CRMO Care implements to protect your health information.

Overview

CRMO Care is committed to protecting your personal health information (PHI). While we are not a HIPAA-covered entity, we voluntarily implement HIPAA-aligned security safeguards to ensure your data is protected with industry-leading practices.

HIPAA Alignment Statement: CRMO Care is HIPAA-aligned and actively working towards full HIPAA compliance. We maintain Business Associate Agreements (BAAs) with all vendors who process Protected Health Information (PHI), follow HIPAA de-identification standards for research, and implement safeguards aligned with the HIPAA Security Rule. Our goal is to meet or exceed HIPAA requirements as we grow.

Our platform is designed to support multiple chronic conditions (CRMO, JIA, IBD, and others) with disease-agnostic data models and condition-specific extensions. Privacy and security controls remain consistent across all supported conditions, with condition-specific data validated against clinical requirements.

Our Security Commitment:

• Encryption of data in transit and at rest
• Row-level database security ensuring complete data isolation
• Regular security audits and vulnerability assessments
• Strict access controls and authentication
• PHI-free logging and error tracking
• Continuous monitoring for threats and breaches
• Employee training on security best practices
• Incident response and breach notification procedures

Our Data Governance Commitment:

• We never sell your data to marketers, advertisers, or data brokers
• All research participation is opt-in — you choose whether to contribute
• Registry and clinical trial participation are voluntary — separate from app usage
• You control your data — access, edit, delete, and export at any time
• We share only de-identified data for research (under explicit consent)
• International users welcome during Beta with GDPR-aligned principles applied

1. Technical Safeguards

1.1 Encryption

Data in Transit:

• All data transmitted between your device and our servers uses TLS 1.3 encryption
• API endpoints enforce HTTPS exclusively
• Certificate pinning on mobile applications
• No downgrade to unencrypted connections permitted

Data at Rest:

• Database encryption using AES-256 encryption
• File storage (voice recordings, documents) encrypted at rest
• Daily automated backups encrypted at rest (AES-256) via Supabase Pro / Google Cloud infrastructure
• Key management through secure key management services

1.2 Access Controls

User Authentication:

• Multi-factor authentication (MFA) available for all accounts; required for sensitive operations
• Minimum 8 characters with complexity requirements for passwords
• Automatic session timeout after periods of inactivity
• Email/password authentication with mandatory email OTP (one-time passcode) verification at every login

Role-Based Access Control:

• Caregiver: Full access to dependent's health records
• Teen/Self-managing patients: Access to own records only
• Clinician: Access only to explicitly shared patient data
• Admin: De-identified data views only (no direct PHI access)
• Researcher: Aggregate and de-identified data only

All roles follow the principle of least privilege. Admin and research tools operate primarily on de-identified views, not live PHI.

1.3 Audit Controls

Comprehensive Logging:

• All data access and modifications logged with tamper-proof audit trails
• Administrative actions tracked and reviewed regularly
• Retention of audit logs for minimum of 7 years
• Regular review of access logs for suspicious activity
• Structured, machine-parseable log format for automated analysis
• Clinical trial subject ID access logged separately with enhanced monitoring
• Research data exports logged with requester, purpose, timestamp, and dataset ID

PHI-Free Logging:

• Application logs contain only user IDs, child IDs, session IDs, and metadata
• No PHI in logs: never names, dates of birth, symptoms, medications, or clinical notes
• Error tracking (Sentry) configured with PHI scrubbing — no health data in error messages, tags, or breadcrumbs
• Voice recordings and transcripts never stored in non-BAA-covered analytics tools

1.4 Network Security

• Firewall protection on all network perimeters
• Intrusion detection and prevention systems (IDS/IPS)
• DDoS protection and rate limiting
• Regular vulnerability scanning and penetration testing
• Network segmentation to isolate sensitive data

1.5 Secure Development

• Security-first development lifecycle
• Code review and static analysis for security vulnerabilities
• Dependency scanning for known vulnerabilities
• Regular security updates and patch management
• Secure coding standards and training for developers

Database Migration Security:

• All database changes deployed via version-controlled migrations
• Migrations tested in staging before production deployment
• Rollback procedures documented and tested
• No direct production database modifications

1.6 Row-Level Security (RLS)

Database-level access controls enforce complete data isolation between users:

• Row-Level Security policies enforce data isolation at the database level
• Every query automatically filtered by user_id and child_id
• No user can access another user's health data, even if they guess the ID
• RLS policies independently tested from "unauthorized user" perspective
• Database queries fail-closed (deny by default) if RLS is misconfigured
• RLS applies to all tables containing PHI or user-specific data

1.7 Voice Data Processing

Special safeguards for the voice journal feature:

• Voice recordings encrypted in transit and at rest
• Transcription through HIPAA-eligible providers with BAAs only
• Voice recordings retained per user preference (can be deleted on request)
• Transcription quality validation before clinical use
• Structured data extraction with fallback to free-text if AI processing fails
• Users can review, edit, and correct all AI-extracted data before saving
• No voice recordings or transcripts sent to non-BAA-covered services

2. Administrative Safeguards

2.1 Security Management

• Risk Assessments: Annual comprehensive security risk assessments
• Security Policies: Written security policies and procedures
• Incident Response Plan: Documented procedures for security incidents
• Disaster Recovery: Business continuity and disaster recovery plans
• Regular Reviews: Quarterly review and updates of security measures

2.2 Workforce Security

• Background Checks: Background screening for all employees with PHI access
• Security Training: Annual security and privacy training required
• Access Authorization: Formal authorization procedures for system access
• Access Termination: Immediate revocation of access upon termination
• Confidentiality Agreements: All workforce members sign confidentiality agreements

2.3 Third-Party Management

We carefully vet all service providers who may have access to your data:

• Vendor Assessments: Security assessment before engagement
• Contracts: Business Associate Agreements (BAAs) or equivalent where applicable
• Ongoing Monitoring: Regular review of vendor security practices
• Data Processing Agreements: Explicit limitations on data use and sharing

Our Key Service Providers:

• Supabase: Database hosting, authentication, file storage (U.S.-based, SOC 2 Type II certified)
• OpenAI: Voice transcription and AI processing (Business Associate Agreement in place for HIPAA compliance)
• Sentry: Error tracking (PHI scrubbed before transmission; no BAA required as no PHI sent)

AI Processing Safeguards:

• Business Associate Agreement (BAA) in place with OpenAI for HIPAA compliance
• Minimal necessary PHI principle applied to all AI prompts (IDs and metadata only, not full names/DOB)
• Voice transcription processed through BAA-covered endpoints only
• AI processing logs contain no PHI (only request IDs, latency, and error codes)
• User review and editing required before any AI-structured data is saved
• Voice recordings and transcripts never stored in non-BAA-covered analytics tools

2.4 Environment Controls

Separate infrastructure for development, staging, and production:

• Development and staging environments use only synthetic or anonymized data
• No real PHI ever used for testing, development, or demos
• Database schema changes deployed via tested migrations with rollback capability
• Sandbox endpoints for AI, payment, and email services in non-production environments
• Strict network separation between production and non-production systems
• Production database credentials never used in development or staging

3. Physical Safeguards

3.1 Infrastructure Security

• Data Center Security: Our cloud infrastructure providers maintain SOC 2 Type II certified data centers
• Physical Access Controls: Biometric access, 24/7 surveillance, and security personnel
• Environmental Controls: Fire suppression, climate control, and power redundancy
• U.S.-Based Hosting: All production data hosted in U.S. data centers
• Geographic Redundancy: Multi-region backup and failover capabilities

3.2 Device Security

• Encrypted hard drives on all company devices
• Remote wipe capabilities for lost or stolen devices
• Automatic screen locking after inactivity
• Prohibition of PHI storage on personal devices

4. Data Protection Practices

4.1 Data Minimization

We collect only the minimum data necessary to provide our services. We do not collect:

• Advertising identifiers
• Precise location data (unless explicitly enabled)
• Social security numbers or financial information
• Unnecessary demographic data

4.2 Data Retention

• Data retained only as long as necessary for service provision
• Voice recordings retained until user requests deletion or account closure
• Transcripts retained according to user preferences and can be deleted at any time
• Users can delete voice recordings at any time from their account settings
• Account data deleted within 30 days of account closure
• Backups: Supabase Pro plan performs automated daily backups. All backups are encrypted at rest using AES-256 via Google Cloud infrastructure, consistent with Supabase's SOC 2 Type II certification. Backups are retained for 7 days on a rolling basis and purged from all systems within 90 days of account deletion.
• Audit logs retained for 7 years for security and compliance purposes

4.3 Data Integrity

• Regular database integrity checks
• Backup verification and testing
• Version control for all data modifications
• User ability to review, edit, and delete their data

4.4 Data Governance Principles

CRMO Care adheres to the following data governance principles:

No Sale of Data:

• We do not sell identifiable patient data under any circumstances
• We do not share data with marketers, advertisers, or data brokers
• We do not use patient data for advertising or marketing purposes

Opt-In Research Model:

• Research Databank participation is entirely voluntary
• CRMO Registry participation is entirely voluntary
• Clinical trial participation requires separate, trial-specific consent
• You can use the app without ever participating in research

Transparency:

• We maintain records of all research data sharing activities
• We disclose research partnerships and data use purposes
• We notify participants when studies using their data are published
• We provide clear information about who accesses research data

Data Ownership and Control:

• You own your identifiable data and can access, edit, or delete it at any time
• Once data is de-identified, it cannot be linked back to you (this protects your privacy)
• De-identified data that has been shared externally cannot be recalled
• Your consent decision before de-identification is the key control point

4.5 Research Participation (Optional)

If you opt into the CRMO Research Databank, CRMO Care supports two distinct research pathways with different data handling:

Clinical Trial Participation (Pathway A):

CRMO Care may support clinical trials that require:

• Coded participant identifiers (subject IDs) rather than full de-identification
• Secure re-identification key database maintained by CRMO Care
• Access to keys limited to: Data Governance Officer, approved Principal Investigators with documented justification, and safety monitoring personnel
• All key access logged with timestamp, purpose, and approver to immutable audit trail
• ICH GCP Subject Identification Code List principles
• Trial-specific informed consent required beyond general consent
• Protocol-specific data retention (typically 2–25 years post-trial)
• Support for: safety reporting, adverse event follow-up, protocol deviations, monitoring/audits

Re-identification Key Security:

• Keys stored in separate, encrypted database table with row-level security
• Multi-factor authentication required for any key access
• Annual third-party security audit of key management system
• Keys never transmitted to external trial sponsors
• Re-linkage operations performed only within CRMO Care's secure environment

General Research Data Sharing (Pathway B):

For observational and epidemiological research:

Research Data Architecture:

• Clinical and research data stored in separate database projects
• Automated, auditable de-identification process
• Batch ETL processes (not real-time) transfer de-identified data to research database
• Research API rate limiting per institutional customer
• Consent verification before inclusion in research datasets

HIPAA Safe Harbor De-identification:

• Removal of all 18 HIPAA identifiers (names, dates, IDs, etc.)
• k-anonymity enforcement: Minimum cohort size required before data export
• No re-identification capability exists for this pathway
• Aggregate reporting to prevent individual identification
• Independent expert determination where appropriate

See Beta User Agreement (Version 2.7, Sections 11a and 12) and the Research Databank Proposal for complete details on research pathways.

5. Mobile Application Security

5.1 App Security Features

• Biometric Authentication: Face ID, Touch ID (iOS), and fingerprint (Android) supported for app unlock and sensitive operations. Biometric templates are stored exclusively in Apple Secure Enclave / Android StrongBox — CRMO Care never accesses or stores biometric data itself; we store only a boolean flag indicating whether biometric auth is enabled on the device.
• Secure Storage: iOS Keychain and Android Keystore for credential and session token storage
• Certificate Pinning: Prevention of man-in-the-middle attacks
• Code Obfuscation: Protection against reverse engineering
• Jailbreak Detection: Warning on compromised devices
• HealthKit Data Security (iOS): HealthKit data is read from Apple Health under explicit user authorization and stored in the user's encrypted CRMO Care account. Access is read-only; CRMO Care never writes to Apple Health. Users can revoke access at any time in iOS Settings. HealthKit data at rest is subject to the same AES-256 encryption and RLS controls as all other health data.
• Visit Companion Recording Security: Appointment audio recordings are encrypted in transit (TLS 1.3) and at rest (AES-256). Recordings are processed exclusively through BAA-covered AI endpoints and are never sent to non-BAA services. A clinician permission confirmation is required before recording begins. Users can delete recordings at any time; deletion removes both the audio and derived transcripts from all systems within 30 days.
• Push Notification Security: Push notification tokens (used to deliver reminders) are stored encrypted and used solely for sending the user's own app notifications. Tokens are never shared with third-party marketers and are invalidated when the user revokes notification permissions or deletes their account.

Secure Deep Link Handling:

• Deep links validate authentication and authorization before granting access
• No sensitive IDs exposed in URLs that could bypass authentication
• Session tokens required for all authenticated deep links

Key Management:

• Elevated database keys never included in client applications
• Public/anonymous keys only in mobile apps
• Service role keys restricted to secure backend and serverless functions
• API keys rotated regularly and never committed to version control

5.2 Data on Device

• Minimal data caching on device
• Encrypted local storage when caching is necessary
• Automatic cache clearing on logout
• No PHI stored in device logs or crash reports

6. Security Incident & Breach Response

6.1 Incident Detection

• 24/7 automated monitoring and alerting
• Intrusion detection systems
• Anomaly detection for unusual access patterns
• User reporting mechanisms for security concerns

6.2 Incident Response

In the event of a security incident, we will:

• Immediate Action: Contain and mitigate the incident within 24 hours
• Investigation: Conduct thorough investigation to determine scope and impact
• Notification: Notify affected users within 72 hours if PHI is compromised
• Clinical Trial Notification: If breach affects clinical trial participants, notify Principal Investigator and sponsor per trial-specific protocol within 24 hours
• Remediation: Implement corrective measures to prevent recurrence
• Documentation: Maintain detailed incident logs and lessons learned

6.3 Breach Notification

If we discover a breach affecting your data, we will notify you via:

• Email to your registered address
• In-app notification
• Notice on our website (if affecting 500+ users)

The notification will include:

• Description of the incident
• Types of information involved
• Steps we are taking
• Steps you can take to protect yourself
• Contact information for questions

7. Your Security Responsibilities

While we implement comprehensive security measures, you also play a critical role in protecting your data:

7.1 Account Security

• Strong Passwords: Use unique, complex passwords
• Enable MFA: Turn on multi-factor authentication
• Keep Credentials Private: Never share your password or login information
• Secure Your Device: Use device passcodes and biometric locks
• Update Regularly: Keep your app and device OS up to date

7.2 Safe Practices

• Log out when using shared devices
• Be cautious of phishing emails or suspicious messages
• Verify you're on the official CRMO Care app or website
• Report suspicious activity immediately
• Review your account activity regularly

7.3 Reporting Security Concerns

If you suspect a security issue, please contact us immediately:

• Email: security@crmo-care.app
• Support: info@crmo-care.app
• Response Time: We will acknowledge within 24 hours

8. Compliance & Standards

8.1 HIPAA Alignment

While CRMO Care is not a HIPAA-covered entity, we voluntarily implement technical, administrative, and physical safeguards that align with HIPAA Security Rule requirements, including:

• 45 CFR § 164.308 — Administrative Safeguards
• 45 CFR § 164.310 — Physical Safeguards
• 45 CFR § 164.312 — Technical Safeguards
• 45 CFR § 164.316 — Policies, Procedures, and Documentation

8.2 Industry Standards

We follow industry best practices including:

• NIST Cybersecurity Framework: Risk management and security controls
• OWASP Top 10: Protection against common web vulnerabilities
• SOC 2: Infrastructure providers are SOC 2 Type II certified
• ISO 27001: Information security management principles

8.3 State Privacy Laws

We comply with applicable state privacy laws, including California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and other state-specific requirements.

International Users and GDPR Alignment

During the Beta testing period, CRMO Care welcomes international users. For all users, regardless of location, we apply GDPR-aligned principles:

• Data Minimization: We collect only data necessary for the service
• Purpose Limitation: We use data only for stated purposes
• Right to Erasure: You can request deletion of your data at any time
• Right to Access: You can request a copy of all data we hold about you
• Right to Rectification: You can correct inaccurate data
• Right to Data Portability: You can export your data in a standard format
• Lawful Basis: We process data based on consent and legitimate interests

Data Storage and Transfers:

• All data is stored on U.S.-based infrastructure
• International data transfers use encryption and appropriate safeguards
• Future versions may implement Standard Contractual Clauses as needed

9. Updates to This Security Page

We may update this Security page as we enhance our security measures or in response to changing legal requirements. We will notify you of material changes via:

• Email notification
• In-app notification
• Notice on our website

The "Last Updated" date at the top of this page indicates when changes were last made.

10. Questions or Concerns?

CRMO Care has designated officers to handle security and privacy questions.

Privacy Officer / Security Officer:

Martin W. Walsh, Founder
Email: privacy@crmo-care.app (privacy) / security@crmo-care.app (security)

Contact Options:

• Security Issues: security@crmo-care.app
• Privacy Questions: privacy@crmo-care.app
• General Inquiries: info@crmo-care.app

Response Commitment: We will acknowledge security concerns within 24 hours. Critical security reports will be escalated immediately.

Government Request Transparency: Since CRMO Care was founded, we have received zero government requests for user information. We will update this disclosure annually.

Non-Discrimination: CRMO Care will not discriminate against you for exercising any of your data protection rights. Your access to the app and quality of service will not be affected by exercising your rights.

We take all security concerns seriously and will respond promptly to your inquiries.