Sign in Subscribe

How CareNote Handles Data, Privacy, and Security

Last updated on 
A person at a desk views glowing monitors displaying data visualizations, graphs, analytics in a warm, orange-lit workspace.
CareNote’s commitment to security: Data insights protected by industry-leading safeguards for privacy, reliability, and peace of mind.

At CareNote, we understand the trust our users place in us to protect sensitive data and maintain the privacy of their congregants. We take this responsibility seriously, implementing robust security measures to ensure that your data is safe, secure, and handled with care.

In this post, we’ll cover:

  • Data Handling: How data is stored and accessed securely within CareNote.
  • Privacy Practices: Our compliance with privacy regulations like PIPEDA and GDPR.
  • Security Measures: The safeguards in place to protect your data from unauthorized access.
  • Third-Party Services: How CareNote integrates with trusted services like Twilio, Stripe, and Planning Center Online, ensuring data is anonymized and securely transmitted.
  • PCI Compliance: How CareNote and Stripe meet the highest standards for protecting cardholder data, including PCI DSS Level 1 certification.
  • CareNote’s Security Culture: A personal commitment to safeguarding your data, treating it with the same care as my own.
  • Continuous Improvement: Our dedication to refining CareNote’s practices through your valuable feedback.

Data Handling

CareNote employs industry-standard practices to securely store and manage data:

  • Encrypted Storage: All data is encrypted at rest using full-disk encryption on our hosting servers. This ensures that even if physical storage were compromised, the data would remain inaccessible.
  • Controlled Database Access: The database is only accessible via the CareNote application, with no external API tokens or public access allowed.
  • Data Retention: Data is retained during active account usage. When an account is deleted, data is immediately removed from active storage. Backup copies are retained for up to 30 days as part of our disaster recovery process, after which they are permanently purged.
  • Data Durability and Recovery: Our multilayered backup strategy includes point-in-time backups and daily snapshots, ensuring resilience against hardware failure, regional disasters, and malicious acts.

Privacy Practices

We are committed to complying with privacy regulations in all regions where CareNote operates:

  • PIPEDA Compliance: In Canada, we adhere to the 10 principles of the Personal Information Protection and Electronic Documents Act (PIPEDA).
  • GDPR Compliance: For users in the EU, we align with GDPR principles, ensuring informed consent, data minimization, and secure data handling.
  • Data Anonymization: Any data shared with external services, such as for analytics or sentiment analysis, is fully anonymized to maintain user confidentiality.

Security Measures

CareNote prioritizes the security of your data through comprehensive safeguards:

  • Encryption: All data at rest is protected with full-disk encryption, and all data in transit is encrypted using HTTPS/TLS protocols.
  • Access Control: Role-based access control (RBAC) ensures that only authorized users can view or modify sensitive information.
  • Activity Monitoring: CareNote maintains logs of all key actions for auditing purposes, allowing for traceability and early detection of potential issues.
  • Secure Hosting: CareNote is hosted across multiple secure platforms, all of which meet stringent compliance standards, including SOC 2 and ISO 27001 certifications, to ensure reliability and data protection:
    • Microsoft Azure: US-East-1 region (Richmond, Virginia).
    • DigitalOcean: US-East-1 region (New York, NY).
    • Laravel Cloud (AWS):US-East-1 region (Washington, DC).
    • Vercel: US-East-1 region (Washington, DC).
    • CloudFlare: US-East-1 region (Detroit, MI).

Third-Party Services

To provide a seamless and powerful experience, CareNote integrates with trusted third-party services:

  • Twilio: For SMS notifications and phone number validation.
  • Stripe: For payment processing and subscription management.
  • Planning Center Online (PCO): For church management system data integration.

We take great care to share only the necessary data with these services, ensuring it is anonymized and transmitted securely.

PCI Compliance

The Payment Card Industry Data Security Standards (PCI DSS, or more commonly, PCI) are a set of standards set forth by the four major card associations to protect cardholder data. All merchants and processors need to have physical, electronic, and procedural controls in place to ensure that cardholder data is stored and handled securely at all times.

CareNote is a PCI Level One compliant merchant.

Our payment processor, Stripe, is one of the largest, most advanced payment processors in the world. They handle payment processing for services like Kickstarter, Lyft, Shopify, Pinterest, Twitter, Heroku, SurveyMonkey, and many other companies. Stripe is also a certified "PCI Service Provider Level 1" payment processor.

CareNote's Security Culture

At CareNote, protecting your data is more than just a policy—it’s personal to me. As a pastor of a local church, I use CareNote every day to manage my congregation, which means my own data is in CareNote alongside yours. This responsibility drives my commitment to safeguarding both my data and yours.

I’ve logged milestones for my loved ones, tracked care requests for my congregants, and celebrated care moments with my team—all within CareNote. I treat your data with the same care and respect as I do my own because, in many ways, it is.

This connection fuels my dedication to ensuring that CareNote is a secure, reliable, and trusted tool for your ministry, just as it is for mine.

Continuous Improvement

Your feedback is invaluable as we continue to refine CareNote’s data handling, privacy, and security practices. If you have any questions or require additional information about our approach, we’re here to help.