CareDenza Inc.
Trust, Security & Compliance

Healthcare-grade engineering. Plain-English explanations.

Caredenza handles sensitive health information. We treat that responsibility with real engineering and a plain description of what's in place today — no aspirational claims.

How your data is stored

All Caredenza data lives in Amazon Web Services data centers in the United States, on services that are HIPAA-eligible.

  • Encryption at rest (AWS-managed keys for DynamoDB and S3)
  • Encryption in transit (TLS 1.2 or higher) for every request
  • Per-patient access scoping enforced by AWS Cognito identity tokens
  • Audit log entries for every read and write to your medication data

What we collect — and what we don't

We collect only what the app needs to do its job: your medications, doses, care team, appointments, and the email address you sign in with.

  • No advertising SDKs, no behavioral-tracking pixels, no session-replay tools
  • No third-party analytics that build a profile of you
  • No selling of data to anyone, ever
  • You can delete your account and your data from inside the app at any time

The full list lives in our Privacy Policy.

Caregiver access — by invite only

Caregivers see your information only because you invited them. They sign in to the Caredenza app with their own credentials and land in a dedicated caregiver view — there are no shared accounts and no shared passwords.

  • Each caregiver has their own login to a read-only caregiver terminal in the Caredenza app
  • From that terminal they can see compliance history, pharmacy refills, the patient's care team, and the calendar of past and upcoming appointments
  • You can revoke any caregiver's access at any time, taking effect immediately

How we handle HIPAA

HIPAA applies to "covered entities" (hospitals, clinics, plans) and their "business associates." When you use Caredenza directly as a consumer, neither role applies, and HIPAA does not technically govern that use.

We voluntarily apply protections that line up with HIPAA's Security Rule because it's the right way to handle health information. If a healthcare organization later offers Caredenza to its patients, we will sign a Business Associate Agreement with that organization for that program.

How we build the software

The product is built secure-by-default. Our founder spent a decade in information security before this — we treat security as how the codebase is wired, not a phase.

  • Over 1,100 automated tests run against every change to the codebase
  • Infrastructure managed as code, with reviewed changes only
  • Least-privilege IAM, separated by service
  • Documented change-management process, with every production change traced to a pull request

Working toward SOC 2

We use Vanta to monitor our security controls and to organize the evidence a SOC 2 audit will require. We have not yet completed an audit, and we won't claim a certification we haven't earned. We'll update this page when we do.

Our promise

We don't sell your data. We don't share it without your consent. We don't keep it longer than we need to. And we'll tell you, in plain English, anything you want to know.

Have a security or compliance question?

For vendor-security questionnaires, BAA discussions, or anything we missed, write to us directly.

Email our team