Security

How DivineCare Service protects your data, end to end.

Last updated: January 1, 2026

Security is a foundational concern for healthcare software. DivineCare Service is engineered with defence-in-depth — encryption, access control, tamper-evident audit, and operational discipline — so that the agencies who trust us with their patients' data can demonstrate compliance and sleep at night. This page summarises the controls currently in place.

TLS 1.2+ in transit

AES-256 at rest

MFA-ready

Role-based access

Immutable audit log

Encrypted backups

Encryption

In transit: All connections to the platform use TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.
At rest: Documents are encrypted with AES-256 using per-document keys derived with PBKDF2-HMAC-SHA256 before being stored in private blob storage. Database backups are encrypted by the hosting provider.
Cookies & tokens: ASP.NET Core Data Protection keys are persisted to durable storage; cookies are marked HttpOnly, Secure, and SameSite=Lax.

Identity & access

Role-based access control (RBAC) with granular permission overrides per user.
Multi-factor authentication available via authenticator apps (TOTP).
Sessions inactivity-timeout; anti-forgery tokens enforced on every state-changing request and burned after a single use.
API access protected with rotating credentials and per-key origin allow-listing.

Audit & monitoring

Every meaningful action is recorded to an immutable audit log with actor, timestamp, IP, browser, and outcome.
Authentication events (logins, MFA challenges, password resets) are captured per-user and surfaced in My Profile → Login History.
Synthetic uptime monitoring with incident tracking is built in for SuperAdmin oversight.

Application security

Defence against the OWASP Top 10: parameterised queries (EF Core), output encoding, anti-forgery tokens, and clickjacking protection.
Secrets (DB credentials, API keys, signing keys) are read from configuration — never source code — and excluded from version control.
Dependency scanning surfaces known CVEs at build time so vulnerable packages are upgraded promptly.

Infrastructure & operations

Hosted on enterprise-grade cloud (Azure recommended; on-premise supported for residency-sensitive deployments).
Database backups taken at least hourly and stored in a geographically separate location (RPO ≤ 1 hour, RTO ≤ 4 hours).
Least-privilege access for production: separate roles for application service accounts and human operators.

Compliance posture

HIPAA — administrative, technical, and physical safeguards aligned to the HIPAA Security Rule.
GDPR / UK GDPR — see our Data Processing Addendum.
Privacy practices — see the Privacy Policy.

Reporting a vulnerability

If you believe you have found a security issue, please use our contact form and start your message with "Security report". We acknowledge verified reports within two business days. Please do not publicly disclose issues until we have had a reasonable opportunity to remediate.