Security & Availability

The security and availability of your data is paramount

Your data is secure and always available. Don't just take our word for it, we have our service independently monitored for uptime, scanned for vulnerabilities and penetration tested on an ongoing basis.

We have an extensive list of measures in place to ensure data security and service continuity.

Security

Login security

Access to CareHQ requires users to log in using an email address and password. Users can further secure their login by enabling 2FA (2 Factor Authentication) against their account.

User passwords must be at least 10 characters long and contain a mixture of:

  • Uppercase and lowercase characters
  • Numbers
  • Non-alphanumeric characters (e.g. %, ~)

Repeated failed attempts to log in will lock a user's account for 30 minutes before it is possible to retry. Passwords are stored in a hashed form (they cannot be retrieved). Passwords are not sent to users on account creation or password resets, instead CareHQ sends a time-limited single use link to a user via email which can be used to set a new password.

Measures to prevent user account/session hijacking

We use device fingerprints (based on the geographic location, browser and operating system) to help prevent session hijacking and users are notified by email about logins on devices they haven't logged in on before.

If a user changes their email address they are notified by email (the email is sent to the previous email address).

Access control

CareHQ provides a number of different user roles which determine what data can be accessed and what actions can be performed within the application:

  • Account owners
    Account owners can view and manage every aspect of the account, including the access other users have.
  • Regional managers
    Regional managers can view and manage data only for the locations they are given access to.
  • Location users
    Location users can view and manage data only for the single location they are assigned to.
  • Care advisers
    Care advisers (who may be external such as a third-party call centre operator) can access all locations but have limited access to data. They are only able to view and manage data relevant to their role as a care adviser.

CareHQ clients can restrict access to their account to a limited set of IP addresses.

CareHQ maintains a list of personnel with authorised access to the production environment. We review this monthly and these lists are updated on role change. Only authorised personnel have access to CareHQ's production environment. Access to data within CareHQ's production environment by authorised personnel is only permitted for the purpose of resolving issues.

CareHQ support staff do not have access to data unless granted access by a CareHQ user. Users can grant support staff access for the purpose of troubleshooting either through the application UI or by a link sent to them in an email from a support staff member. Granting support staff access enables them to view and manage the same data as the user granting access. Support staff access is temporary and automatically expires after 24 hours. A CareHQ user can choose to revoke any access they have granted to support staff at any time.

Event logging

When users modify data within the CareHQ application we log what changed, who changed it and when. The change log for any document (e.g. a care enquiry, room spec, etc.) can be viewed within the application. Account owners can also view activity logs for any user to see what changes an individual user has made. Change log entries are retained for 12 months.

Exports of data from the system in Excel or CSV/TSV format are logged as an export event which records what data was exported, who exported the data and when. Export log entries are retained for 12 months. Users can subscribe to be notified whenever an export event occurs, users can only view export logs containing data they are permitted access to.

Event logging can help reduce risk by identifying potentially fraudulent activity earlier and providing a record of any data affected by such activity.

Vulnerability detection

We run automated third-party vulnerability scans of the CareHQ production environment at a minimum of every 7 days and perform penetration testing annually. Penetration testing is performed by external independent security specialists.

All changes to CareHQ are peer reviewed.

Encryption at rest and during transit

We encrypt data when at rest. This includes data held in the database (e.g. care enquiries, client information and contact details), non-public assets (e.g. care assessment scans) and data backups. Data encrypted at rest uses the AES256-CBC encryption standard.

We further encrypt data in transit. This includes data you send and receive when accessing our services (e.g. via the browser) and data sent between servers within our infrastructure (e.g. when a backup is taken on one server and stored on another). Data encrypted in transit uses HTTPS for web browser connections and WireGuard for transit between servers.

Data retention

The period of time PII (Personally Identifiable Information) is held for care enquiries and client records can be set to meet your requirements; by default care enquiries are retained for 1 year and client records are retained for 7 years. Once data has reached the end of its retention period it is either deleted or anonymised. Anonymised data has all PII data removed but retains data relevant to demographic reporting.

API logs are retained for 30 days and only available to users with the account owner role.

Server and error logs are retained for 90 days and are accessible internally to a limited number of authorised employees for the express purpose of monitoring CareHQ to ensure service availability and performance.

Data deletion

All live data stored for a client on CareHQ servers is deleted within a 24 hour period on termination of the service. Data held in backup will be deleted automatically after 30 days.

Users have the ability to find and permanently delete individual documents (and any associated data) from CareHQ in order to comply with data requirements such as data associated with a right to be forgotten request.

Isolating your data

If your organization requires data isolation, we offer complete data isolation plans ensuring that your data is stored on dedicated hardware and does not share resources and liabilities with other clients.

Data centres and locations

CareHQ is hosted at data centres located in:

  • France (Europe)
  • Netherlands (Europe)
  • Ireland (Europe)

Some of the partners CareHQ relies on transmit and store limited data outside of the European Union, specifically in the United States:

  • Sentry
    We use Sentry for logging errors that occur with the CareHQ service. We employ Personally Identifiable Information (PII) scrubbing to ensure that any error information we capture does not contain sensitive data. Sentry are certified with the EU-U.S. Privacy Shield Framework.
  • Twilio
    We use Twilio to send SMS and WhatsApp messages and to perform call forwarding. Twilio are certified with the EU-U.S. Privacy Shield Framework. Message and Call logs are removed from Twilio within 48 hours.

Physical access control

CareHQ is hosted across 3 service providers for redundancy:

All the service providers we host with take extensive measures to safeguard their physical sites. CRMHQ employees do not have physical access to data centre servers, network equipment or storage for any of the service providers that we host with.

Availability

Remote monitoring

We use multiple external services to remotely monitor key metrics for the CareHQ service. We report on service availabilty (uptime) on our status page and you can subscribe for email notifications for any status change events.

Distributed infrastructure

CareHQ is hosted across multiple countries (France, Ireland and the Netherlands) and service providers (AWS, Google and OVH) to reduce reliance on any individual network or service provider.

DNS (AWS Route 53) distributes load between datacentres with health checks to route traffic away from any local issues. Additional load balancing at the web server (NGINX) to application level distributes requests to keep the service responsive and provide further redundancy. For assets (such as imagery and documents) we use AWS S3 and for public assets we use a CDN (AWS Cloudfront).

Data backups

We take database backups every 2 hours and server snapshots every 24 hours. We run multiple database replicas with automatic fall over for redundancy.

Disaster recovery and readiness

We regularly test the network and infrastructure CareHQ is hosted on to ensure that the service remains operational when components fail.

Incidents and response

A CareHQ issue impacting a customer will be assigned a severity level and handled accordingly to the following table. All resolution times apply within hours of operation 8am - 6pm GMT, Monday - Friday (excluding bank holidays).

Severity Description Resolution
Level 1 CareHQ is not available / not usable. Acknowledgement within 1 hour. Temporary resolution within 4 hours. Final resolution within 2 days.
Level 2 CareHQ performance is substantially degraded preventing normal usage. Acknowledgement within 1 hour. Temporary resolution within 8 hours. Final resolution within 7 days.
Level 3 A non-essential CareHQ feature is unavailable or degraded. Acknowledgement within 1 day.  Final resolution within 28 days.
Level 4 Minor cosmetic issues and feature requests for CareHQ. Resolution at CRMHQ's discretion.