Security & Compliance

🔐 Data Protection & GDPR Compliance

We treat resident data with the highest level of care, implementing comprehensive controls that exceed GDPR requirements and protect your care home from data breaches.

🇬🇧 UK Data Residency

Your data never leaves the UK. All servers are located exclusively in DigitalOcean's London data center, ensuring compliance with UK data protection laws and NHS data residency requirements.

Primary hosting: DigitalOcean London (UK)
Database backups: UK-only locations
No international data transfers
Full UK legal jurisdiction

🔒 Encryption Everywhere

All data is encrypted both in transit and at rest using industry-standard encryption protocols. Even if infrastructure is compromised, your data remains unreadable.

TLS 1.3 encryption for all connections
AES-256 encryption for data at rest
Encrypted database backups
Encrypted voice recording storage

👥 Multi-Tenancy Security

Complete data isolation between care homes. Your data is separated at the database level with automated daily integrity checks to ensure zero data leakage.

Row-level security enforcement
Automated multi-tenancy integrity checks
No cross-care-home data access
Complete audit trails per organization

⚖️ GDPR Rights Management

Full support for data subject rights including access requests, rectification, erasure, and portability. We help you comply with GDPR obligations effortlessly.

Right to access (data export in 48 hours)
Right to rectification (immediate updates)
Right to erasure (complete deletion)
Right to portability (CSV/JSON export)

🔍 Data Processing Agreement (DPA)

As a data processor, Karevox provides a comprehensive Data Processing Agreement that meets Article 28 GDPR requirements. We maintain detailed records of processing activities and conduct regular compliance audits.

⚡ Enterprise Infrastructure & Availability

Built on DigitalOcean's enterprise-grade infrastructure with comprehensive monitoring, automated health checks, and guaranteed uptime SLAs.

99.9%

Uptime SLA

24/7

System Monitoring

<100ms

UK Response Time

Daily

Automated Backups

🏗️ DigitalOcean Infrastructure

Hosted on DigitalOcean's SOC 2 Type II certified infrastructure with physical security, redundant power, and network connectivity.

SOC 2 Type II certified data centers
ISO 27001 certified operations
Redundant network connectivity
Physical security and access controls

📊 Automated Health Monitoring

Daily automated health checks test every critical system component. Issues are detected and resolved proactively before they affect you.

Database connectivity verification
Multi-tenancy integrity checks
Authentication system testing
Data isolation verification

🔄 Disaster Recovery

Comprehensive backup strategy with multiple recovery points and tested restoration procedures. Your data is safe even in worst-case scenarios.

Daily automated database backups
30-day backup retention
Off-site backup storage (UK only)
Tested recovery procedures (quarterly)

⚡ Performance & Scalability

Architecture designed to scale with your needs. From single care home to multi-site operators, performance remains consistent.

PostgreSQL 16 for enterprise performance
Optimized database queries
CDN for fast asset delivery
Auto-scaling capability

🏛️ Secure-by-Design Architecture

Every layer of our platform is designed with security first. From network access to application logic to data storage—security is built in, not bolted on.

Security Layers (Defense in Depth)

1. Network Security Layer

Firewall rules restrict access to HTTPS (443) and SSH (22 from authorized IPs only). All other ports blocked. DDoS protection via Cloudflare proxy (optional).

2. Transport Security Layer

SSL/TLS certificates from Let's Encrypt with automatic renewal. TLS 1.3 enforced. HTTP Strict Transport Security (HSTS) prevents downgrade attacks.

3. Application Security Layer

Flask application with secure session management, CSRF protection, XSS prevention, SQL injection protection via parameterized queries. Rate limiting on API endpoints.

4. Authentication & Authorization

Bcrypt password hashing (12 rounds). Role-based access control (RBAC). Session tokens with 24-hour expiry. Multi-factor authentication available (Premium).

5. Data Access Layer

Row-level security enforced in PostgreSQL. Every query filtered by care_home_id. Prepared statements prevent SQL injection. Database connection encryption.

6. Data Storage Layer

AES-256 encryption at rest. Encrypted disk volumes. Encrypted backups. Secure deletion procedures for erasure requests (GDPR compliance).

7. Audit & Monitoring Layer

Complete audit trails with timestamps. All data access logged. Automated anomaly detection. Daily security scans. Quarterly penetration testing.

📋 Complete Documentation Audit Trail

Every care note has a complete audit trail from submission to final approval. While original voice recordings are not currently preserved (planned for future release), we maintain comprehensive logs of all processing steps including transcription, translation, AI generation, quality scoring, and manager approvals—all timestamped and attributed.

✅ CQC Compliance & Audit Support

Karevox is designed to help you meet CQC requirements and provide inspectors with the evidence they need—quickly and confidently.

CQC Requirement	How Karevox Helps	Status
Complete Care Records	AI validates every note against resident-specific requirements	✓ Compliant
Audit Trails	Complete chain of custody from voice recording to approved note	✓ Compliant
Data Protection	UK data residency, encryption, GDPR compliance, secure access	✓ Compliant
Staff Competency	Quality scoring, training feedback, performance analytics	✓ Compliant
Evidence-Based Care	Structured documentation mapped to CQC quality statements	✓ Compliant
Inspection Readiness	CQC evidence reports generated on-demand, exportable PDFs	✓ Compliant

📋 CQC Inspection Support

When CQC arrives, you're ready:

Generate compliance reports in seconds (not hours)
Export evidence organized by quality statements
Show complete audit trails for any resident
Demonstrate systematic quality improvement over time
Prove staff competency through performance data

🔑 Access Controls & User Management

Granular control over who can access what. Every user has only the permissions they need—nothing more.

👤 Role-Based Access Control

Three distinct user roles with carefully defined permissions. No user can access data outside their role or care home.

Care Workers: Record notes, view own submissions
Managers: Approve notes, view team performance, configure settings
Family Portal: View linked resident only, read-only access

🔐 Authentication Security

Industry-standard authentication with optional multi-factor authentication for additional security on manager accounts.

Bcrypt password hashing (12 rounds)
Password strength enforcement
Multi-factor authentication (MFA) available
Automatic session timeout (24 hours)

📝 Complete Activity Logs

Every action is logged with user ID, timestamp, and IP address. Full accountability for all system activities.

Login/logout events tracked
Note creation, editing, approval logged
Settings changes recorded
Family portal access logged

⚠️ Anomaly Detection

Automated monitoring for unusual access patterns. Suspicious activity triggers alerts to care home managers.

Multiple failed login attempts
Access from unusual locations
Bulk data export attempts
Off-hours administrative changes

🛡️ Business Continuity & Disaster Recovery

Your care home depends on reliable systems. We ensure Karevox is always available when you need it, with comprehensive disaster recovery procedures.

💾 Backup Strategy

Multiple backup copies in geographically separated locations (UK only). Regular testing ensures backups are restorable when needed.

Automated daily backups (3 AM UK time)
30-day rolling retention period
Critical data backed up to separate UK region
Quarterly restoration testing

⚡ Service Level Agreement

We commit to 99.9% uptime with defined response times for incidents. Transparent status page shows real-time system health.

99.9% monthly uptime guarantee
Priority: Critical incidents <1 hour response
Priority: Major incidents <4 hour response
Public status page for transparency

🔧 Incident Response

Documented incident response procedures with defined escalation paths. Every incident reviewed to prevent recurrence.

24/7 automated monitoring and alerting
Defined escalation procedures
Post-incident reviews (root cause analysis)
Customer notification within 1 hour of major incidents

📊 Transparency & Reporting

Regular security and availability reports. You always know the health of your critical care documentation system.

Monthly uptime reports
Quarterly security assessment summaries
Immediate incident notifications
Annual third-party security audit reports