CarryForward

Security & Compliance

Your family's medical records deserve military-grade protection. Here's exactly how we keep your data secure.

Zero-Knowledge Architecture

We cannot access your decrypted medical records. Your encryption keys never leave your device. Even if our servers were compromised, your data would remain encrypted and unreadable.

AES-256-GCM Encryption

Military-grade encryption standard used by governments worldwide. All medical records encrypted client-side before upload.

12-Word Recovery Phrase

Your "digital safe combination" stored only by you. Uses BIP39 standard (same as cryptocurrency wallets).

Biometric Unlock

Face ID / Touch ID for quick access on your device. Keys stay encrypted in device secure storage.

Secure by Default

All connections use TLS 1.3. Content Security Policy headers. No third-party tracking scripts.

Auto-Lock

Encryption keys cleared from memory after 15 minutes of inactivity. Require re-authentication to access records.

Offline Access

Records stored encrypted on your device for offline access. Synced securely when connection is restored.

How Encryption Works

  1. 1

    Key Generation (Sign-Up)

    Your device generates a random 12-word recovery phrase using BIP39 standard. This phrase is converted into a 256-bit encryption key using PBKDF2 key derivation.

  2. 2

    Data Encryption (Upload)

    When you upload a medical record, it's encrypted in your browser using AES-256-GCM. Each file gets a unique initialization vector (IV). Only the encrypted blob and IV are sent to our servers.

  3. 3

    Server Storage

    Our servers (Supabase) store only encrypted data. We also store a hash of your encryption key (NOT the key itself) for verification purposes. The hash cannot be reversed to obtain the key.

  4. 4

    Data Decryption (View)

    When you view a record, the encrypted blob is downloaded to your device. Your locally-stored encryption key decrypts it in your browser. The decrypted data never touches our servers.

Compliance & Regulations

⚠️ HIPAA Status

CarryForward is NOT a covered entity under HIPAA. We are not:

  • A healthcare provider
  • A health plan
  • A healthcare clearinghouse
  • A business associate of any of the above

As a personal health record (PHR) tool, we are not bound by HIPAA. However, we take security just as seriously and follow industry best practices.

FTC Health Breach Notification Rule

We comply with the FTC's requirements for non-HIPAA entities that handle health information.

Our Obligations:

  • Notify affected users within 60 days of discovering a breach
  • Notify the FTC if the breach affects 500 or more users
  • Notify prominent media outlets for large breaches
  • Maintain reasonable security measures (which we exceed)

Infrastructure Security

Supabase (Database & Storage)

  • • SOC 2 Type II certified
  • • Data centers in US (AWS)
  • • Encrypted at rest (AES-256)
  • • Encrypted in transit (TLS 1.3)
  • • Daily backups (30-day retention)

Vercel (Hosting)

  • • SOC 2 Type II certified
  • • DDoS protection (Cloudflare)
  • • Automatic SSL/TLS certificates
  • • Edge caching for performance
  • • 99.99% uptime SLA

Stripe (Payment Processing)

  • • PCI DSS Level 1 compliant
  • • We never see full card numbers
  • • Tokenized payment methods
  • • 2FA required for refunds
  • • Fraud detection built-in

Resend (Email Delivery)

  • • No PII stored in emails
  • • DMARC, SPF, DKIM configured
  • • Email logs retained 30 days
  • • Transactional only (no marketing)
  • • Unsubscribe on every email

Incident Response Plan

In the unlikely event of a security incident, here's our response protocol:

  1. 1

    Immediate Containment (0-4 hours)

    Isolate affected systems, revoke compromised credentials, assess scope of breach.

  2. 2

    Investigation (4-24 hours)

    Determine cause, identify affected users, document timeline, engage security experts if needed.

  3. 3

    User Notification (Within 60 days)

    Email all affected users with details, recommended actions, and support resources. Notify FTC if required (500+ users).

  4. 4

    Remediation & Prevention

    Fix vulnerabilities, implement additional safeguards, conduct security audit, publish transparent post-mortem.

What You Can Do

Best Practices

  • ✅ Write down your recovery phrase on paper (never digital)
  • ✅ Store recovery phrase in a secure location (fireproof safe)
  • ✅ Enable biometric unlock on trusted devices
  • ✅ Use a strong, unique password for your account
  • ✅ Never share your recovery phrase with anyone (including us)
  • ✅ Lock your device when not in use

Security Warnings

  • ❌ Don't store recovery phrase in password managers
  • ❌ Don't email or text your recovery phrase
  • ❌ Don't take screenshots of your recovery phrase
  • ❌ Don't share your account with others
  • ❌ Don't access from public/shared computers
  • ❌ We will NEVER ask for your recovery phrase

Future Security Roadmap

We're continuously improving our security posture. Upcoming enhancements:

  • Q2 2026:SOC 2 Type II audit (full compliance certification)
  • Q3 2026:Bug bounty program launch (responsible disclosure)
  • Q4 2026:Security key support (YubiKey, etc.) for 2FA
  • 2027:Annual third-party penetration testing

Questions About Security?

We're transparent about our security practices. If you have questions or want to report a vulnerability:

Email: support@carryforward.app

For vulnerability reports, please include steps to reproduce. We aim to respond within 48 hours.

← Back to Home