Security First

Your data is our responsibility.

CarePlug Pay handles sensitive financial and medical data. We take that seriously. Here's exactly how we protect it.

Encryption at Every Layer

  • AES-256-GCM encryption for all PII (SSN, Tax ID, bank details)
  • TLS 1.3 for all data in transit
  • Supabase database encryption at rest (AES-256)
  • Sensitive fields stored in isolated table with field-level encryption
  • Encryption keys rotated and managed via environment variables

Data Isolation & Access Control

  • Sensitive data (SSN, bank info) stored in separate encrypted table — never in main application record
  • Row-Level Security (RLS) on all database tables
  • Service role keys never exposed to browser — server-side only
  • Sensitive fields stripped from localStorage (SSN, routing, account numbers)
  • API endpoints validate and sanitize all input

Audit Logging

  • Every application submission logged with IP address and timestamp
  • Sensitive data access tracked and logged
  • Admin actions (view, approve, reject) recorded
  • Immutable audit trail for compliance reviews

Payment Security

  • HMAC-SHA256 webhook signature verification on all payment events
  • Bank verification via Plaid — credentials never touch our servers
  • Payment processing via PCI-compliant partners
  • Rate limiting on all form submission endpoints

Authentication & Authorization

  • Magic link authentication (no passwords stored)
  • API key verification on cross-service calls
  • Role-based access control (admin, staff, provider, patient)
  • Session-based middleware protecting all sensitive routes

Infrastructure

  • Hosted on Vercel — SOC 2 Type 2 certified infrastructure
  • Database on Supabase — SOC 2 Type 2, HIPAA eligible
  • Automatic HTTPS with HSTS
  • Edge network with DDoS protection
  • Automated deployments with zero-downtime

Compliance Framework

  • HIPAA-conscious design for healthcare data handling
  • PCI DSS awareness — sensitive card data never stored
  • CCPA/GDPR-ready data handling practices
  • Data retention policies enforced
  • Right to deletion supported

Incident Response

  • Input validation and sanitization on all endpoints
  • HTML injection and XSS prevention
  • Rate limiting and abuse detection
  • Error responses never expose stack traces or internal details
  • Automated monitoring and alerting

Questions about our security practices?

security@careplugpay.com