Trust & Security

Unity CareLink holds information about some of the most vulnerable people in America. Families trust us with the details of their loved one's day. Agencies trust us with records that affect funding, compliance, and care delivery. DSPs trust us with logs that document their work.

We take that trust seriously. This page describes how we protect information, what standards we follow, and what you can expect from us as we build the platform.

1. Platform Architecture

Hosting and Infrastructure

Unity CareLink runs on enterprise-grade cloud infrastructure operated by a major U.S. cloud provider with industry-recognized security certifications (SOC 2 Type II, ISO 27001, HIPAA BAA coverage). All production data is stored and processed within U.S.-based data centers. We do not transfer personal information outside the United States.

Tenant Isolation

Data from different agencies and organizations is logically isolated through role-based access controls and tenant-scoped queries. No user from one agency can access another agency's records.

Network Security

• Web Application Firewall (WAF) in front of all public endpoints
• DDoS mitigation at the edge
• Private networking for internal service-to-service traffic
• No direct database exposure to the public internet
• Bastion-only access for administrative operations

2. Encryption

In Transit

All data moving between users and Unity CareLink is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and do not accept unencrypted connections. Certificate management is automated. We follow current TLS configuration best practices and score A+ on independent TLS audits.

At Rest

All stored data is encrypted using AES-256 at the storage layer. This includes:

• Primary application databases
• File and media storage (photos, voice notes)
• Automated backups
• Audit logs

Encryption keys are managed through a dedicated key management service with rotation policies and strict access controls. Application-layer keys are separate from infrastructure-layer keys.

In Application

Sensitive fields — including any Protected Health Information (PHI) — receive additional application-layer encryption so that even direct database access does not expose this data in plaintext.

3. Access Controls

Role-Based Access (RBAC)

UCL is built around role-based access. Every record in the system has explicit rules about who can view, edit, or delete it. Common roles include:

• Family member — access to records about their own Supported Individual
• DSP — access to records relevant to their shifts and assigned individuals
• Agency coordinator — access to records within their agency's service scope
• Agency administrator — administrative access to their organization only

Role permissions are enforced at both the application layer and the database query layer to prevent privilege escalation.

User Authentication

• Passwords must meet modern complexity requirements and are stored using industry-standard password hashing (bcrypt or Argon2id — never plaintext or reversible encryption)
• Multi-factor authentication (MFA) is available to all users and required for agency administrators
• Single Sign-On (SSO) via SAML 2.0 is available for agency subscribers on qualifying tiers
• Session timeouts enforce automatic logout after periods of inactivity
• Account lockout protections guard against brute-force attacks

Employee Access

Unity CareLink personnel can access production systems only when strictly necessary and only through audited channels:

• Least-privilege access — employees can access only what their role requires
• Access review every 90 days
• Mandatory MFA on all internal accounts
• All production access is logged and monitored
• Background checks for personnel with production access
• Confidentiality agreements and privacy training for all staff

We do not use customer data for development or testing. Development environments use synthetic data only.

4. Monitoring & Incident Response

Logging

We maintain comprehensive audit logs that include authentication events (successful and failed), changes to user roles and permissions, access to sensitive records, administrative actions, and system errors and security events. Logs are retained for a minimum of 12 months and are protected against tampering. Agency administrators can review audit logs for their own organization.

Threat Monitoring

• Real-time intrusion detection on all production systems
• Automated alerting on anomalous access patterns
• Continuous scanning for known vulnerabilities
• Regular log review by our security team

Incident Response

We maintain a written Incident Response Plan that includes detection, containment, eradication, recovery, and post-incident review phases. In the event of a security incident affecting customer data, we commit to:

• Notify affected users and agencies within 72 hours of confirming a breach
• Provide specifics about what information was affected and what actions we have taken
• Cooperate with regulatory reporting requirements (HIPAA Breach Notification Rule, California data breach laws, etc.)
• Conduct a root-cause analysis and publish a post-mortem for material incidents

5. Vulnerability Management

Internal Practices

• All code is peer-reviewed before merging to production
• Automated dependency scanning on every code change
• Automated static application security testing (SAST) on every build
• Regular dynamic application security testing (DAST) on staging and production
• Patch management for all infrastructure components, with critical patches applied within 7 days

External Testing

We engage independent third parties for annual penetration testing of the web application and mobile apps, annual infrastructure security review, and ad-hoc testing before major releases. Summary letters from these engagements are available to agency subscribers under NDA.

Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in Unity CareLink, please report it to [email protected].

We commit to:

• Acknowledge your report within 2 business days
• Keep you informed of remediation progress
• Not pursue legal action against researchers acting in good faith under our published policy
• Publicly credit researchers who wish to be credited (with their permission)

Please do not access data that is not your own, disrupt the Service, or publicly disclose vulnerabilities before we have had a reasonable opportunity to remediate.

6. Compliance & Standards

Current Alignment

Unity CareLink is designed to align with:

• HIPAA — administrative, physical, and technical safeguards under the Privacy and Security Rules
• HIPAA Breach Notification Rule — incident response and notification
• CCPA / CPRA — California Consumer Privacy Act and California Privacy Rights Act
• COPPA — Children's Online Privacy Protection Act
• WCAG 2.1 Level AA — Web Content Accessibility Guidelines
• Section 508 of the Rehabilitation Act

Planned Certifications

• SOC 2 Type I — targeted within 12 months of general availability
• SOC 2 Type II — targeted within 24 months of general availability
• HITRUST CSF — under evaluation, decision expected post-launch

We will update this page when certifications are achieved. Audit reports will be available to qualifying customers under NDA.

7. Business Associate Agreements

Unity CareLink offers Business Associate Agreements (BAAs) to agency and program customers that qualify as HIPAA Covered Entities or Business Associates. Our standard BAA:

• Is available at no additional cost on qualifying agency subscription tiers
• Defines UCL's obligations as a Business Associate under HIPAA
• Covers permitted uses and disclosures, safeguards, subcontractor flow-down, breach notification, and termination

To request a BAA, contact your account representative or email [email protected].

8. Subprocessors

We use a limited set of vendors to deliver the Service. Each vendor is contractually bound to data protection obligations at least as strict as ours, has been reviewed for security posture before onboarding, and is subject to ongoing review.

Vendor	Purpose	Location	BAA
[Cloud Provider]	Hosting and infrastructure	United States	Yes
[Email Delivery]	Transactional email	United States	Yes
[Analytics]	Product analytics (de-identified)	United States	N/A
[Error Monitoring]	Application error tracking	United States	Yes
[Customer Support]	Support ticketing	United States	Yes

We notify agency customers at least 30 days in advance of material changes to our subprocessor list. A current, live list is maintained at unitycarelink.com/subprocessors.

9. Data Residency, Retention & Portability

Residency

All customer data is stored in the United States. We do not transfer data outside the U.S. for processing or storage.

Retention

• Active accounts: data is retained as long as the account is active
• Closed accounts: personal data is deleted within 30 days, except where legal or agency record-retention rules apply
• Backups: retained for 35 days on a rolling basis; deletions propagate through the backup cycle within that window
• Audit logs: retained for a minimum of 12 months

Portability

You can export your data from UCL at any time in standard, machine-readable formats. Agency customers can bulk-export records under their administrative control.

Deletion

When you close your account or request deletion, we remove personal data from active systems within 30 days and from backups within 65 days. Some information may be retained where required by law or agency regulatory obligations, and such retained data continues to be protected by the controls on this page.

10. Backup & Disaster Recovery

• Automated encrypted backups run continuously
• Point-in-time recovery available for the last 35 days
• Disaster recovery plan tested at least annually
• Recovery Time Objective (RTO): 4 hours for critical services
• Recovery Point Objective (RPO): 15 minutes for critical data
• Backups are stored in geographically separated U.S. regions

11. Shared Responsibility

Security is a partnership. While Unity CareLink is responsible for the security of the platform, customers are responsible for:

• Keeping account credentials secure
• Configuring roles and permissions appropriately for their organization
• Enforcing MFA for administrative users
• Reviewing and responding to security alerts
• Training staff on information handling
• Promptly offboarding users who no longer need access
• Reporting suspected security issues to us promptly

We provide tools, documentation, and support to help customers meet these responsibilities.

12. Privacy by Design

Security is not only about protecting data from outsiders — it's also about limiting what is collected in the first place and who can see what inside the system. UCL is built on these principles:

13. Contact

Purpose	Contact
Security vulnerabilities	[email protected]
Privacy requests	[email protected]
Legal and BAA	[email protected]
General support	[email protected]
Accessibility issues	[email protected]
General inquiries	[email protected]

Unity CareLink LLC • Simi Valley, CA • (805) 638-5959

Changelog

This document describes our security practices and commitments. Specific technical implementations evolve over time as the threat landscape and best practices change. Material changes to this page are noted in the changelog. Agency customers receive written notice of changes that materially affect obligations or data handling.