Legal

Data Security

Last updated: May 27, 2026. The technical and operational practices that protect Customer data on CareWave.

This page describes the security program WAVE TECHNOLOGIES LLC (the "Company") maintains for the CareWave platform (the "Service"). It is informational and is intended to help Customers evaluate the Service. Specific obligations between the Company and a Customer with respect to security are set forth in the Terms of Service and, where applicable, in the Business Associate Agreement executed between the parties.

1. Our Security Program

The Company operates a defense-in-depth security program designed around the principles of least privilege, segregation of duties, and assume-breach thinking. The program covers administrative controls (policies, training, vendor management), physical controls (inherited from the Company's cloud infrastructure providers), and technical controls (encryption, authentication, monitoring, secure development). The Company is not currently certified under SOC 2, HITRUST, or ISO/IEC 27001; it is working toward independent attestation and identifies this roadmap explicitly in Section 11 below.

2. Encryption

2.1 Encryption in Transit

All connections between End User devices and the Service occur over Transport Layer Security (TLS) version 1.2 or higher. The Service rejects connections that negotiate down to TLS 1.1 or earlier and rejects insecure cipher suites. Connections between internal Service components occur over authenticated, encrypted transport.

2.2 Encryption at Rest

The Service stores production data on managed cloud infrastructure with server-side encryption enabled using AES-256 or equivalent. Encryption keys are managed by the underlying cloud provider's key-management service with regular automatic key rotation.

2.3 Secret Management

Application secrets, API keys, and signing certificates are stored in dedicated secret-management systems with audit logging. Secrets are not stored in source code, build artifacts, or version control.

3. Authentication and Access

  • Identity. Each End User authenticates with a unique identity tied to a verified email or phone identifier. Credentials are stored salted and hashed using a modern key-derivation function.
  • Bearer Tokens. The Service issues short-lived bearer tokens. Tokens expire automatically and can be revoked centrally.
  • Multi-factor Authentication. The Service supports time-based one-time password (TOTP) second factors for elevated accounts.
  • Device-side Protections. The CareWave mobile application supports device biometric unlock (Face ID, Touch ID, Android biometric) and a local PIN. Secrets on device are stored in the platform-provided secure enclave (iOS Keychain or Android Keystore).
  • Session Management. Sessions expire after a configurable period of inactivity, after which the End User must re-authenticate.
  • Administrative Access. Access by the Company's workforce to production systems is restricted to a small group of named individuals, requires multi-factor authentication, and is logged.

4. Application Security

  • Secure Software Development Lifecycle. All code changes go through peer review before merging. The Company maintains coding standards that address common vulnerability classes, including the OWASP Top 10.
  • Dependency Management. Third-party dependencies are tracked, scanned for known vulnerabilities, and updated on a documented cadence.
  • Static and Dynamic Analysis. Static analysis runs as part of continuous integration; dynamic and authenticated scans are performed periodically.
  • Input Validation and Output Encoding. The Service uses parameterized queries for database access and context-appropriate output encoding to prevent injection and cross-site-scripting vulnerabilities.
  • Least Privilege. Service components run with the minimum privileges required to perform their function.

5. Infrastructure

The Service is hosted on cloud infrastructure operated by providers that publish SOC 2 reports addressing physical security, environmental controls, and the security of the underlying compute, storage, and networking platform. The Company does not operate its own data centers. Production, staging, and development environments are logically isolated. Build artifacts are immutable and traceable to a specific source-control commit.

6. Monitoring and Logging

  • Application Logs. The Service records application events, including authentication attempts, administrative actions, and access to sensitive records.
  • Infrastructure Logs. Network, system, and cloud-control-plane events are aggregated centrally.
  • Alerting. Defined alerting rules trigger on-call review of anomalous patterns, including unusual authentication failures, privilege escalations, and resource changes.
  • Retention. Logs are retained for the period set forth in the Company's record-retention schedule, which is at least sufficient to satisfy the requirements of 45 CFR 164.316(b)(2) for HIPAA-relevant records.

7. Backups and Recovery

The Service maintains automated, encrypted backups of production data. Backups are stored in a region or availability zone separate from the primary write-path. The Company has documented recovery procedures and tests them periodically. The Service is designed for recovery of production functionality within hours of a qualifying disruption, although actual recovery time depends on the nature of the event. Specific recovery-time and recovery-point objectives are described in the BAA or upon request under non-disclosure.

8. Mobile Application Security

  • The CareWave mobile application pins to the Service's TLS certificate chain and rejects connections that fail validation.
  • Authentication tokens and PIN hashes are stored in the device's secure enclave (iOS Keychain or Android Keystore) and never in plaintext on disk.
  • The application requests runtime permissions (location, camera, microphone, biometrics) only when the corresponding feature is used, and the platform's usage-purpose strings explain why each permission is requested.
  • PHI is not cached unencrypted on device. Local persistence is limited to non-PHI configuration and to encrypted artifacts required for offline operation.

9. Vulnerability Management

  • Patching. Critical security patches are applied within a documented timeframe, with severity-based escalation.
  • Responsible Disclosure. Security researchers may report vulnerabilities to hello@carewave.us. The Company commits to acknowledging reports within five (5) business days and to providing a status update within fifteen (15) business days. The Company does not currently operate a public bug-bounty program but appreciates and investigates good-faith reports.
  • Penetration Testing. The Company will engage an independent third party to conduct periodic penetration tests of the Service. Summary results are available to Customers upon request under non-disclosure.

10. Incident Response

The Company maintains a written incident-response plan that addresses preparation, detection and analysis, containment, eradication, recovery, and post-incident review. Suspected incidents are triaged by on-call staff within twenty-four (24) hours of detection. Where an incident affects PHI, the Company will notify the affected Customer in accordance with 45 CFR 164.410 and the executed BAA. Where an incident affects personal information regulated by state privacy law, the Company will cooperate with Customer's notification obligations.

11. Security Roadmap

The following items represent the Company's forward-looking commitments, not current attestations:

  • completing a SOC 2 Type II examination by an independent CPA firm;
  • engaging an independent third party to conduct an annual penetration test;
  • evaluating HITRUST CSF certification as Customer demand and regulatory requirements warrant;
  • publishing summary reports under non-disclosure to qualified Customers;
  • expanding the responsible-disclosure program with a formal safe-harbor policy.

12. Subprocessors

The Service relies on third-party Subprocessors for cloud infrastructure, transactional email delivery, push notifications, and observability. The Company maintains a list of Subprocessors that handle Customer data, conducts risk-based diligence prior to engagement, and contractually flows down obligations consistent with the BAA where the Subprocessor accesses PHI. The current Subprocessor list is available on request and subject to non-disclosure.

Contact Us

For security questions, to report a vulnerability, or to request an enterprise security questionnaire response (SIG, CAIQ, or equivalent), contact us by email at hello@carewave.us.