CareAR Takes Security and Privacy Seriously
At CareAR, we understand that your success is our success. Success is built on trust, that's why it's so important for us to be transparent about our commitment to personal data protection and privacy.
SOC 2 Type II
The SOC2 Type 2 report is an independent auditor’s attestation of the security controls that CareAR has had in place during the report’s coverage period. This report is provided for customers and prospects to review to ensure No Exceptions to the documented policies and procedures in the policy documentation.
CareAR Commitment to Privacy and Data Protection in Delivery of Services in the EU, Switzerland and the UK
General Data Protection Regulation
The European Union’s General Data Protection Regulation (GDPR) became effective on May 25, 2018. This regulation is the EU’s attempt to provide better protection of personal data and privacy protection for EU citizens and to allow them greater control over their personal data.
CareAR was founded after the GDPR went into effect which gave us the advantage of designing a service with privacy protections included from the beginning. The protection of personal data is fundamental to the trust CareAR users expect when choosing our service. This publication contains highlights of our commitment to privacy and data protection. Our formal description is available on our website here: https://carear.com/privacy-policy/
What We Collect
We collect and process the following information, which includes personal data, because it is needed in order to use our service and the mobile app that enables it:
- Contact Information
- Name, email address(es), phone number(s) (at user’s discretion)
- Device Data Collected During App Use
- For example, network connection, including the device model identifier, operating system identification, network signaling, IP Address, date and time of use of the service, the performance of the service, what features are used in the app, and GPS coordinates (at user’s discretion)
- Access Required for App to Function
- Access to user’s mobile device’s notifications, camera, microphone (we collect information regarding usage of the foregoing features)
- Voice and Video
- When a user enters a service call with another user, they are transmitting voice and video via the Internet. We do not view or listen to the content of calls, and we do not store audio or video once these have been delivered to their destination.
- Photos taken by the user using the app during the call.
Where Is Personal Data Sent And How Is It Protected?
As of CareAR Assist version 21.04 and later, the administrative portal allows for configuring the regions in which the media (video and audio) can be transmitted as follows:
- North America
For example, if you would like to restrict the video and audio to stay within Europe, this setting enables you to geo-fence the audio and video to be transmitted within Europe only.
We apply appropriate physical, technical, administrative and organizational measures to our processing of personal data that is commensurate with the sensitivity and risk associated with the types of personal data involved. Personal data is encrypted while at rest. Our database servers, to which personal data is securely transferred, are currently hosted by Google Cloud Platform (GCP) in the U.S. GCP’s cloud platform security is described here: https://cloud.google.com/security
Data sovereignty deals with the physical storage of user and usage data within the confines of a physical geographic area.
CareAR Assist 22.02.002 provides architectural support for data sovereignty. More specifically, the location of the customer’s permanent storage of data containing Personally Identifiable Information (PII), excluding the user’s email address, related to users and to usage information may be designated to be one of the following regions:
- United States
- Germany & Belgium
User Mapping and Authentication
With our support for data sovereignty, as part of the user’s initial login sequence, we query our location database to determine which region the user is assigned to. The location database entry is 1) the user’s email address and 2) the region the user’s tenant is bound. If unspecified, the default location is the US.
Once the region for the tenant is determined, all subsequent interactions by the user (while logged in) are directed to the service logic executing in that region. Today the authentication of the user is performed using a global authentication service.
Customers requesting their tenant be implemented in Canada or Germany will need to contact the CareAR Technical Support operations team for assistance. For more information, see Assist 22.02.002 release notes.
Other Things We Do – Compliance, Policy and Process
From the beginning, CareAR worked diligently to meet both the spirit and requirements of GDPR. Here are several additional highlights of what we do to comply.
On the privacy page on our website (link above), CareAR sets forth the process for data subjects to exercise their rights and provides a link to communicate with us on privacy-related topics such as when data subjects want to request a copy of their personal data, request deletion or restrict processing of it, or if they wish to withdraw their consent to use of their personal data. As the law requires, before we process any data subject requests, the data subject must reasonably authenticate themselves and provide assurances that the personal data belongs to them. To the extent required by our customer contracts, where we are able to associate a data subject with a specific customer, we consult with the customer to confirm that we may comply with the data subject’s request.
Also, a list of our subprocessors is publicly available at http://carear.com/gdpr-subprocessors and we have contractual arrangements with each that satisfy GDPR requirements. This list is evergreen and will be promptly updated as we bring new subprocessors into our production environment.
Finally, as part of Xerox, we have the benefit of consultation with Xerox’s global Chief Privacy Officer and information security team. This bolsters our commitment to data protection and privacy and ensures that we have internal policies, processes and protections in place for the personal data we handle. In addition, our employees are all required to take annual information security and privacy training to ensure that they understand how to handle and protect personal data. We also have well-documented methods for our employees to report potential security incidents as well as an anonymous whistleblower hotline to report abuses without the fear of retribution.
Our Ongoing Commitment To Privacy And Data Protection
At CareAR, we believe that this process does not end with GDPR regulations. We are committed to continually improving the protection of the personal data we collect and process.
Privacy Team Contact Information:
Data Privacy Team
201 Merritt 7
Norwalk, CT 06851-1056
Attn: Compliance Department – Privacy
We think you will find these resources helpful
- Security and Privacy Measures
- Sub-Processor Lists
- CareAR Data Processing Addendum
- Security and Privacy FAQ
- Network Firewall Settings
- Personally Identifiable Information (PII) White Paper
- CareAR and HIPAA
- Stay Informed - sign up to the CareAR information security & critical update notifications
- Reporting a Security Issue
Our Customer Care department is always happy to help! Contact us by emailing firstname.lastname@example.org