Security & Compliance - HIPAA-Ready, Working Toward SOC 2

HIPAA-Ready

Built with the security features required to protect resident health information

Working Toward SOC 2

Target: SOC 2 Type I audit Q2 2025, Type II certification Q3 2026

Bank-Level Encryption

Your data is encrypted the same way banks protect financial information

How We Keep Your Data Safe

Security explained in plain English

🔐 Your Data is Locked Away

Think of Kura Center like a building with separate locked filing cabinets for each facility. Your facility's cabinet has its own unique key. Even if someone broke into the building, they couldn't open your cabinet without your specific key. That's how we keep your data completely separate from other facilities.

📝 Every Action is Recorded

Imagine a security camera that records everything, but the recordings are locked in a safe that can't be opened or erased. That's our audit trail. Every time someone views a resident's record, documents a service, or makes a change, it's permanently recorded with the date, time, and who did it. Perfect for inspections.

🔒 Everything is Encrypted

Encryption is like putting your data in a safe. Even if someone stole your computer or intercepted your internet connection, all they'd see is scrambled gibberish. We use the same encryption that banks use to protect financial information.

👥 Staff Only See What They Need

Not everyone needs access to everything. Administrators see everything, managers see schedules and reports, and staff see their own schedules and the residents they work with. Just like you wouldn't give every employee the keys to every room in your facility.

What This Means For You

✓ Pass Inspections with Confidence

When licensing or DDS shows up, you can pull complete, unalterable records in minutes. No scrambling for paper files.

✓ Protect Resident Privacy

Residents and families can trust that their information is secure and only seen by authorized staff.

✓ Avoid Data Breaches

Your data is more secure in Kura Center than in filing cabinets or spreadsheets on staff computers.

✓ Meet QIP Requirements

Complete audit trails and EVV compliance built-in—exactly what DDS requires for QIP.

✓ Sleep Better at Night

Know that your facility's data is protected by the same security standards used by hospitals and banks.

✓ Simple for Staff

All this security happens automatically. Staff just do their jobs—the system handles the security.

Common Questions

What if my computer gets stolen?

Your data is safe. It's stored in secure data centers, not on your computer. You can log in from any device and your data is still there. Just change your password and the thief can't access anything.

What if Kura Center gets hacked?

We have multiple layers of protection. Even if someone broke through one layer, your facility's data is isolated and encrypted. They'd need your specific encryption keys to read anything—and those are stored separately and securely.

Can staff delete records to hide mistakes?

No. Records are permanent and cannot be deleted or altered. If someone makes a correction, both the original and the correction are saved with timestamps. This protects you during inspections.

What if I want to stop using Kura Center?

You own your data. You can export everything at any time in standard formats. No vendor lock-in, no hassles.

Security Architecture

Technical implementation details

Multi-Tenant Data Isolation

Implementation: PostgreSQL Row Level Security (RLS)

RLS policies enforced on 40+ tables ensure complete data isolation between facilities. Every query automatically includes facility_id filtering at the database level.

CREATE POLICY facility_isolation ON residents
  USING (facility_id = current_setting('app.current_facility_id')::uuid);

CREATE POLICY facility_isolation ON medications
  USING (facility_id = current_setting('app.current_facility_id')::uuid);

Even with SQL injection or application-level vulnerabilities, cross-facility data access is prevented at the database layer.

Encryption

At Rest: AES-256-GCM

AWS RDS encryption enabled on all database instances
EBS volumes encrypted with AWS KMS
S3 buckets encrypted with SSE-KMS
Backup snapshots encrypted

In Transit: TLS 1.3

HTTPS enforced for all connections
HSTS enabled with 1-year max-age
Certificate pinning for mobile applications
Database connections use SSL/TLS

Immutable Audit Trails

Implementation: Append-only audit log table

CREATE TABLE audit_logs (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  facility_id UUID NOT NULL,
  user_id UUID NOT NULL,
  action TEXT NOT NULL,
  resource_type TEXT NOT NULL,
  resource_id UUID,
  changes JSONB,
  ip_address INET,
  user_agent TEXT,
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- Prevent updates and deletes
REVOKE UPDATE, DELETE ON audit_logs FROM app_user;

Every CREATE, READ, UPDATE, DELETE operation logged. Logs retained for 7 years per California Title 22 requirements.

HIPAA Readiness

Current Status: HIPAA-Ready Architecture

Kura Center is built with HIPAA-ready infrastructure and implements technical safeguards required by HIPAA Security Rule.

§164.312(a)(1) - Access Control

Unique user identification (UUID-based user accounts)
Emergency access procedures (admin override with audit trail)
Automatic logoff (30-minute session timeout)
Encryption and decryption (AES-256-GCM)

§164.312(b) - Audit Controls

Immutable audit logs for all PHI access
Timestamp, user ID, action, resource logged
7-year retention period

§164.312(e)(1) - Transmission Security

TLS 1.3 for all data transmission
HSTS enforcement

AWS BAA: Signed Business Associate Agreement with Amazon Web Services covering RDS, S3, and ECS.

Note: While our infrastructure is HIPAA-ready, full HIPAA compliance requires organizational policies and procedures. If you require a Business Associate Agreement (BAA) with Kura Center, please contact us.

SOC 2 Compliance Journey

Our Roadmap to SOC 2 Certification

✅ Phase 0: Foundations (Complete)

PostgreSQL RLS on 40+ tables
AES-256-GCM encryption at rest
TLS 1.3 in transit
Immutable audit logging
AWS infrastructure with BAA

🔄 Phase 1: Policies & Procedures (In Progress)

Information Security Policy
Incident Response Plan
Risk Assessment Framework
Vendor Management Policy
Business Continuity Plan

Target: Q1 2025

📅 Phase 2: SOC 2 Type I Audit

Engage third-party auditor
Point-in-time assessment of controls
Remediate any gaps identified
Receive SOC 2 Type I report

Target: Q2 2025

📅 Phase 3: SOC 2 Type II Certification

6-month observation period
Demonstrate operating effectiveness
Third-party audit of controls over time
Achieve SOC 2 Type II certification

Target: Q3 2026

Why We're Transparent: We believe in honest communication about our security posture. Rather than claiming certifications we don't yet have, we're showing you exactly where we are and where we're going.

Infrastructure & Operations

Cloud Infrastructure

Hosting: AWS (Amazon Web Services)
Region: us-west-2 (Oregon) - HIPAA-eligible region
Database: Amazon RDS PostgreSQL 15 with Multi-AZ
Compute: Amazon ECS Fargate (serverless containers)
Storage: Amazon S3 with versioning and encryption
CDN: CloudFront with AWS WAF

Availability & Disaster Recovery

Target Uptime: 99.9% (8.76 hours downtime/year)
RTO: 4 hours (Recovery Time Objective)
RPO: 5 minutes (Recovery Point Objective)
Backups: Automated daily snapshots, retained 30 days
Replication: Multi-AZ database with automatic failover

Access Control

RBAC: Role-based access control with granular permissions
MFA: Multi-factor authentication available (SMS, TOTP)
Session Management: 30-minute timeout, secure JWT tokens
Password Policy: Minimum 12 characters, complexity requirements
Admin Access: All admin actions logged in audit trail

🔒 Your Data is Safe