Your Data Security
Is Non-Negotiable
CareVector is designed for healthcare. We treat patient data with the same seriousness your practice does — encrypted, isolated, and never shared.
Encryption
Available
Infrastructure
Data Isolation
How CareVector Handles Your Data
Encrypted in transit and at rest. All data transferred to and from CareVector uses TLS 1.2+. Data stored in our database is encrypted at rest using AES-256.
No PHI stored in demo mode. The interactive revenue scanner you see before signup uses synthetic patient data only. No real patient health information is stored or processed until you're onboarded under a signed BAA.
SOC 2-aligned infrastructure. CareVector runs on Render (web and worker services) and Neon (PostgreSQL) — both enterprise-grade cloud providers with SOC 2 Type II compliance and dedicated security programs.
Minimal access, maximum security. CareVector staff access to patient data is role-restricted, logged, and subject to least-privilege controls. We only process what's needed to identify revenue opportunities.
HIPAA Compliance
CareVector is designed for HIPAA compliance. A Business Associate Agreement (BAA) is available for all paid plans.
BAA included at no extra cost. When you subscribe to any paid CareVector plan, you can request a signed Business Associate Agreement. We execute BAAs promptly — typically within one business day.
Designed for covered entities. CareVector is purpose-built for primary care practices. Our data handling procedures, access controls, and vendor agreements are designed to meet HIPAA's requirements for business associates handling PHI.
Minimum necessary principle. We only request the patient data fields necessary to identify revenue gaps — demographics, insurance, encounter history, and ICD-10 codes. We do not request or store clinical notes, medication lists, or lab results.
Email carevector@polsia.app with subject "BAA Request" and we'll respond within one business day.
What Happens When You Upload Patient Data
Upload via secure channel
You export a CSV from your EHR and send it through our encrypted onboarding channel. The file is transmitted over TLS and immediately written to your practice's isolated database partition.
Encrypted at rest, isolated per practice
Your patient data lives in a logically isolated partition — no cross-practice access is possible. Data is stored encrypted using AES-256. Row-level access controls enforce practice boundaries at the database layer.
Processed for revenue analysis only
CareVector's analysis engine reads your data to identify billing gaps — missed AWVs, CCM/RPM-eligible patients, and HCC opportunities. No data is used for any other purpose.
Never shared or sold
Your patient data is never sold, rented, shared with third parties, or used to train AI models outside your practice's revenue analysis. Period.
Deleted on request
If you cancel your subscription or request data deletion, we permanently delete all patient records from our systems within 30 days and provide written confirmation.
Security FAQ
Where is patient data stored?
Patient data is stored in a Neon PostgreSQL database hosted in the United States (AWS us-east-1). Neon is SOC 2 Type II certified. Data never leaves US data centers. Backups are encrypted and retained for 7 days.
Who at CareVector can access patient data?
Access to patient data is restricted to authorized CareVector personnel only when needed to resolve support issues. All access is logged and auditable. We follow the principle of least privilege — staff see only what's necessary to do their job.
How do you handle a data breach?
In the event of a breach involving PHI, we follow HIPAA's Breach Notification Rule — affected covered entities are notified within 60 days of discovery. We maintain an incident response plan and conduct regular security reviews to minimize breach risk.
Is data transmitted securely from my EHR?
Yes. All data transmission uses TLS 1.2 or higher (HTTPS). We do not accept data over unencrypted channels. Your onboarding specialist will walk you through the secure upload process on your kickoff call.
Can we get a BAA before we subscribe?
Yes — we can provide a BAA for review prior to subscription so your compliance team can review it. Email carevector@polsia.app and we'll send a copy within one business day.
Do you use patient data to train AI models?
No. Your patient data is used exclusively to generate revenue analysis for your practice. It is never used to train machine learning models, improve shared algorithms, or for any purpose outside your account.
What happens to my data if I cancel?
If you cancel your CareVector subscription, you can request full data deletion at any time. We will permanently delete all patient records from our systems within 30 days and send written confirmation. You can also export your data before cancellation.
Ready to get started?
We'll walk you through our security setup on your onboarding call and have your BAA ready to sign on day one.