Carepon
← Back to Home

Security at Carepon

This page is maintained by Carepon to explain the security controls in place today. It is not an independent audit or certification.

Data in transit and at rest

  • All traffic to carepon.com is served over HTTPS (TLS) with HSTS enforced.
  • Application data is stored on managed Postgres with encryption at rest.
  • Backups are managed by our infrastructure provider with industry-standard retention.

Access control

  • Row Level Security is enabled on customer-data tables — users can only read and write their own records.
  • Privileged operations run server-side and require an authenticated session.
  • Internal access to production data is restricted to named team members on a least-privilege basis.

Authentication

  • Email + password sign-in with a "show password" toggle and password reset flow.
  • Google sign-in for one-click authentication.
  • Optional Have I Been Pwned password check to block known-compromised passwords.
  • Session tokens are stored using the browser's standard secure storage and refreshed automatically.

Payments

Card payments are processed by Stripe, a PCI-DSS Level 1 certified payment provider. Carepon never sees or stores full card numbers or CVCs. We only retain the minimum metadata needed for receipts, refunds, and reconciliation.

Email

Transactional email is sent from notify.carepon.com with SPF, DKIM and DMARC configured so recipients can verify messages genuinely come from Carepon. We never ask for your password by email.

Application security

  • Strict HTTP security headers including Content Security Policy, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
  • Server functions validate every input with schema-based validation.
  • Webhooks from payment providers are verified using signed request signatures.
  • Dependencies are tracked and updated regularly.

Responsible disclosure

If you believe you have found a security vulnerability in Carepon, please report it to security@carepon.com before sharing it publicly. We will acknowledge your report and work with you on a fix.

Machine-readable contact details are also published at /.well-known/security.txt.

What this page is not

Carepon does not currently hold SOC 2, ISO 27001, HIPAA or PCI certifications in its own name. Where we rely on certified providers (e.g. Stripe for payments) we say so explicitly. This page describes the controls we operate today and will be updated as they evolve.

Contact

Security: security@carepon.com
Privacy: privacy@carepon.com