Security & Compliance

Security built in, not bolted on

Handling PHI is a serious responsibility. CareLX is engineered with HIPAA compliance, encryption, and audit readiness at every layer.

HIPAA Compliant

Active

BAA Available

All Plans

Azure Hosted

SOC 2 Data Centers

AES-256 Encryption

At Rest & In Transit

Role-Based Access

Granular Controls

Audit Trails

Immutable Logging

HIPAA Compliance

CareLX is built from the ground up to meet HIPAA requirements for handling Protected Health Information (PHI).

  • Administrative safeguards: access controls, workforce training, incident procedures
  • Physical safeguards: Azure data centers with SOC 2 and ISO 27001 certification
  • Technical safeguards: encryption, audit logs, automatic session timeout
  • Business Associate Agreements (BAA) provided to all customers

Data Encryption

All sensitive data is encrypted both at rest and in transit using industry-standard algorithms.

  • AES-256-GCM encryption for SSNs, banking information, and sensitive fields
  • Sensitive identifiers masked in the interface — only the last 4 digits are ever shown
  • TLS 1.2+ for all data in transit
  • Encryption keys managed securely with rotation policies
  • Database-level encryption on Azure PostgreSQL

Multi-Tenant Data Isolation

Each agency's data is stored in a completely separate database — not just separate tables.

  • One database per agency (tenant) — complete physical isolation
  • No risk of cross-tenant data leakage
  • Independent backup and recovery per agency
  • Catalog database for tenant metadata contains zero PHI

Access Controls

Role-based access ensures users only see the data they need for their job function.

  • Role-based access control (admin, scheduler, biller, caregiver, etc.)
  • Permission groups for fine-grained access management
  • PHI access restricted to authorized roles with logging
  • Separate portal authentication for caregivers, clients, and families

Audit Trail

Every data change is recorded in an immutable, append-only audit log — ready for any inspection.

  • Who changed what, when, and from what value to what value
  • Immutable append-only log — entries cannot be modified or deleted
  • PHI access logging for Joint Commission compliance
  • Audit reports exportable for inspections and reviews

Care Plan Versioning & Clinical Audit

Care plans are never overwritten — every version is preserved so you can always answer what care was directed on any given date.

  • Draft / active / superseded versioning — no plan is ever lost or silently changed
  • Answer "what were the instructions on date X?" for any client, at any point
  • Every credential, authorization, and training record checked on each scheduling decision
  • Built for Joint Commission audits — compliance is ambient, not reconstructed

Authentication & Identity

Modern authentication with multiple secure options and protection against brute-force attacks.

  • Email/password with bcrypt hashing
  • OAuth 2.0 with Google and Microsoft
  • Multi-factor authentication (TOTP and email OTP)
  • Account lockout after failed attempts, secure password reset flow

Security Heritage

Battle-tested by Wall Street's security teams

CareLX is built by Loffa Interactive Group, which has operated SEC/FINRA-regulated settlement platforms for over 20 years. That security discipline isn't theoretical — Loffa's platforms have been validated by the security teams of the world's largest financial institutions, and the same rigor goes into CareLX.

SOC 2 Type II

Loffa Interactive Group maintains SOC 2 Type II certification for its regulated financial platforms, and CareLX runs on Microsoft Azure's SOC 2 Type II–certified infrastructure.

3rd-Party Penetration Testing

Independent penetration testing and security assessments are part of how Loffa has run regulated platforms for two decades — the same discipline now applied to CareLX.

Vetted by Tier-One Security Teams

Loffa's settlement platforms have been security-assessed by the teams at tier-one financial institutions — among the most demanding reviewers in any industry.

SEC/FINRA Heritage

Two decades operating within securities-industry regulatory requirements — one of the strictest compliance environments there is.

Azure Cloud Operations

CareLX runs on Microsoft Azure with automated alerting, encrypted backups, and per-tenant recovery.

Loffa's Wall Street Clients

Loffa's settlement infrastructure is relied on by tier-one financial institutions including JP Morgan, Fidelity, Charles Schwab, Citi, UBS, Barclays, and Deutsche Bank.

The security teams at firms like JP Morgan, Citi, and UBS have vetted Loffa's platforms — that same rigor now goes into protecting your PHI.

Have compliance questions?

Our team can walk you through our security architecture, provide our BAA, and answer any compliance questions your organization has.

Request a Security ReviewContact Us

Dig deeper: HIPAA compliance · Business Associate Agreement