myCARI Security Practices
Last Updated: January 11, 2026Version: 1.3
Our Commitment to Security
At myCARI, protecting your health information is our top priority. We employ industry-leading security measures to ensure your data remains private and secure. As a healthcare application handling Protected Health Information (PHI), we implement security controls that meet or exceed HIPAA requirements.
Compliance Framework
| Standard | Status | Description |
|---|---|---|
| HIPAA | Implemented | Security controls aligned with HIPAA requirements; BAA signed with GCP |
| SOC 2 Type II | Via Infrastructure | GCP infrastructure is SOC 2 certified; myCARI follows SOC 2 security principles |
| GDPR | Implemented | Data protection practices aligned with GDPR requirements |
| CCPA | Implemented | California Consumer Privacy Act requirements addressed |
Note: myCARI uses HIPAA-compliant infrastructure (Google Cloud Platform with signed BAA) and implements security controls aligned with these standards. Formal third-party certification audits are planned for future phases.
Technical Security Measures
Encryption
| Layer | Technology | Details |
|---|---|---|
| In Transit | TLS 1.3 | All network communications use the latest TLS encryption |
| At Rest | AES-256 | All stored health data encrypted with industry-standard encryption |
| Key Management | Google Cloud KMS | Automatic key rotation, hardware security modules |
| End-to-End | Curve25519 + AES-256-GCM | Care team messages encrypted on-device before transmission |
End-to-End Messaging Encryption
Care team messages are protected with true end-to-end encryption:
| Component | Implementation |
|---|---|
| Key Exchange | Curve25519 ECDH (Elliptic Curve Diffie-Hellman) |
| Message Encryption | AES-256-GCM authenticated encryption |
| Private Key Storage | iOS Keychain (device-only, protected by Face ID/Touch ID) |
| Public Key Storage | Firebase Firestore (for key exchange between users) |
| Key Generation | Automatic on login, regenerated as needed |
How it works:
- Messages are encrypted on your device before being sent
- Only the sender and intended recipients can decrypt messages
- The server only stores encrypted data - it cannot read your messages
- Conversation previews show “Encrypted message” to protect content
- Each recipient receives a uniquely encrypted copy using their public key
Authentication
| Feature | Implementation |
|---|---|
| Biometric Login | Face ID and Touch ID support (recommended) |
| Password Requirements | Minimum 6 characters with Firebase Auth |
| Social Sign-In | Apple Sign-In, Google Sign-In available |
| Session Management | Token-based sessions with automatic expiration |
| Token Security | JWT tokens with short expiration, secure refresh flow |
| Brute Force Protection | Rate limiting and account protection mechanisms |
Infrastructure Security
| Component | Details |
|---|---|
| Cloud Provider | Google Cloud Platform (HIPAA BAA signed) |
| Data Centers | GCP SOC 2 certified data centers, US-based (multiple regions) |
| Load Balancing | Global HTTPS Load Balancer with SSL/TLS termination |
| Web Application Firewall | Cloud Armor with OWASP rule sets, DDoS protection |
| Network Security | VPC isolation with private networking |
| Database | Cloud SQL with AES-256 encryption, private IP connectivity |
| Secrets Management | Google Secret Manager for all credentials |
| Monitoring | Cloud Logging, Cloud Monitoring, and automated alerting |
Application Security
| Practice | Details |
|---|---|
| Secure Development | Security-first development practices, code reviews |
| Dependency Scanning | Automated vulnerability scanning for all dependencies |
| API Security | Rate limiting, request validation, OAuth 2.0 |
| Input Validation | All user input sanitized and validated |
| Error Handling | Secure error messages that don't expose system details |
Data Isolation and Multi-Tenancy
Per-User Data Isolation
myCARI implements strict data isolation to ensure user data cannot be accessed by other users:
| Feature | Implementation |
|---|---|
| Container Isolation | Each user's health data stored in isolated SwiftData containers |
| Database Separation | User data partitioned with row-level security |
| Care Team Access | Permission-based access with full audit logging |
| Professional Mode | Professional caregivers have separate audit trails |
Care Team Security
When you invite care team members:
- Each member has permission-controlled access
- All access is logged with timestamps
- You can revoke access instantly
- Professional caregivers have enhanced audit logging for HIPAA compliance
Organizational Security
Access Control
| Control | Description |
|---|---|
| Role-Based Access (RBAC) | Staff access limited to job requirements |
| Least Privilege | Minimum necessary access for all staff |
| Background Checks | All employees undergo security screening |
| Access Reviews | Quarterly reviews of all access permissions |
| Separation of Duties | Critical functions require multiple approvals |
Staff Training
| Training | Frequency |
|---|---|
| HIPAA Training | Annual certification for all staff |
| Security Awareness | Quarterly training and updates |
| Phishing Simulation | Monthly exercises to test awareness |
| Incident Response | Annual tabletop exercises |
Vendor Security
All third-party vendors with access to PHI must:
- Sign Business Associate Agreements (BAA)
- Meet our security requirements
- Demonstrate appropriate security controls
- Use HIPAA-compliant infrastructure
Incident Response
Response Capabilities
| Capability | Details |
|---|---|
| 24/7 Monitoring | Automated security event monitoring |
| Incident Response Team | Dedicated security personnel |
| Response Procedures | Documented incident response playbooks |
| Regular Drills | Quarterly incident response exercises |
Breach Notification
In the event of a data breach:
- Affected users notified within 72 hours (per HIPAA requirements)
- HHS Office for Civil Rights notified as required
- Full investigation conducted with detailed reporting
- Remediation measures implemented immediately
Audit Logging
We maintain comprehensive audit logs of all security-relevant activities:
| Event Type | Details Logged |
|---|---|
| Authentication | Login attempts, logouts, password changes |
| Data Access | All access to health information |
| Data Modifications | Changes to health records, medications, vitals |
| Care Team Actions | Member additions, removals, permission changes |
| Administrative Actions | Account changes, settings modifications |
| API Access | All API calls with timestamps and results |
| Messaging | Message sent/received events (metadata only, not content) |
Retention Policy
| Aspect | Implementation |
|---|---|
| Retention Period | 6 years per HIPAA requirements |
| Enforcement | Automated via database retention columns |
| Cleanup | Monthly automated cleanup of expired logs |
| Immutability | Audit logs cannot be modified after creation |
All audit log entries include a retention_expires_at timestamp set to 6 years from creation. Logs are automatically purged after this period while ensuring HIPAA compliance.
Your Role in Security
Best Practices for Users
To help keep your health data secure:
| Practice | Why It Matters |
|---|---|
| Use a strong password | Prevents unauthorized account access |
| Enable Face ID/Touch ID | Adds biometric layer of protection |
| Keep your iPhone updated | Security patches protect against vulnerabilities |
| Keep myCARI updated | App updates include security improvements |
| Don't share your login | Your credentials are for your use only |
| Log out on shared devices | Prevents others from accessing your data |
| Review care team access | Periodically verify who has access to your data |
| Report suspicious activity | Alert us if you notice anything unusual |
Reporting Security Issues
If you discover a security vulnerability:
Email: security@mlpipes.ai
Guidelines:
- Provide detailed information about the vulnerability
- Do not publicly disclose until we've addressed it
- We appreciate responsible disclosure
We do not pursue legal action against security researchers who act in good faith, avoid accessing others' data, report issues responsibly, and give us reasonable time to respond.
Healthcare Provider Security
FHIR/SMART on FHIR Integration
When connecting to healthcare providers:
| Security Measure | Implementation |
|---|---|
| OAuth 2.0 | Industry-standard authorization protocol |
| PKCE | Proof Key for Code Exchange prevents code interception |
| Token Storage | Access tokens stored encrypted on backend |
| Scope Limiting | Only request necessary data permissions |
| Session Management | Automatic token refresh, secure expiration |
Epic MyChart Security
- Connections authenticated directly through Epic's secure OAuth flow
- myCARI never sees your Epic login credentials
- You can revoke access anytime through Epic MyChart
- Epic sandbox available for testing (developers only)
Physical Security
Data Center Security
Our cloud infrastructure (Google Cloud Platform) maintains:
- 24/7 physical security with access controls
- Biometric access to data center facilities
- Video surveillance and security personnel
- Environmental controls (fire suppression, climate control)
- Redundant power and networking
Device Security (Your iPhone)
We recommend:
- Enable device passcode (6-digit minimum)
- Use Face ID or Touch ID
- Enable Find My iPhone for remote wipe capability
- Keep iOS updated to latest version
- Don't jailbreak your device
Questions?
- Security Team: security@mlpipes.ai
- Privacy Team: privacy@mlpipes.ai
- General Support: support@mlpipes.ai
Address:
MLPipes LLC
5725 S Valley View Blvd Ste 5 PMB 471045
Las Vegas, Nevada 89118-3122 US