Trust & security

Built to live inside
your compliance envelope.

Cara engagements run inside regulated environments every day — AMCs, payers, pharma. Our security posture exists so that starting an engagement is a conversation, not a procurement exercise.

Compliance posture

HIPAA compliant

Full HIPAA compliance with BAA execution included by default for every engagement. Administrative, physical, and technical safeguards in place across the platform.

SOC 2 Type II controls

Operates to SOC 2 Type II controls across security, availability, confidentiality, processing integrity, and privacy. Formal external audit not yet complete; control documentation can be shared under NDA during diligence.

BAA by default

Business Associate Agreement is executed as part of every engagement. It is not a premium tier. It is the contract we operate under.

Engineered for the regulated edge

HITRUST-aligned controls. Tenant-scoped PHI. Row-level audit trails. Incident response playbook ready on day one.

Infrastructure & data

Runs inside your envelope

Every Enablement Sprint deploys inside your compliance envelope, not Cara's. Your identity provider, your VPC, your audit logs.

Tenant isolation

Complete data separation between partners. Each partner operates in isolated infrastructure with dedicated encryption keys.

Encryption

AES-256 at rest, TLS 1.3 in transit. Key management integrates with KMS, CloudHSM, or your preferred provider.

Audit trails

Full activity logging with timestamp and identity for every data access, modification, and export. SIEM-compatible export formats.

PHI handling

Protected health information is automatically redacted from application logs, error reports, and monitoring systems. PHI segregation is enforced in pipeline design, not just at the edge.

Incident response

Documented incident response plan with defined escalation paths. Affected partners notified within 24 hours of confirmed breach, per HIPAA requirements.

Need to dig deeper?
Your security team can talk to ours.

Detailed security documentation, SIG Lite responses, and audit artifacts are available to partners under mutual NDA during engagement diligence.

Request an introduction →security@caramedical.com

HIPAA compliant · SOC 2 Type II controls · BAA by default

Built to live insideyour compliance envelope.