Vicarity

Security

Security, in plain words.

Care records are some of the most sensitive data there is. Here's exactly how we protect it.

Encryption

  • TLS 1.3 in transit
  • AES-256 at rest (database and object storage)
  • Stripe-managed encryption for payment data

Access control

  • Supabase Auth with role-based access (ADMIN, MANAGER, WORKER, FAMILY)
  • JWT custom claims for per-care-home scoping
  • Row-Level Security on every table touching care data
  • Family access restricted to the specific resident they're linked to

Hosting

  • UK application servers
  • Supabase EU-region database
  • No third-country data transfers
  • Daily encrypted backups

Audit + logging

  • Structured audit log on sensitive mutations
  • Access logs retained for 90 days
  • No raw PII in application logs

Vulnerability management

  • Automated dependency updates (Dependabot)
  • Weekly security audits (pnpm audit)
  • CI fails on critical vulnerabilities

Incident response

  • Breach notification within 72 hours
  • Rollback-on-failure deployment pipeline
  • Health checks + smoke tests block bad releases

Responsible disclosure

Found a security issue? Please report it to security@mykeralam.uk — we'll respond within 24 hours. Do not publicly disclose before we've had a chance to fix it. We'll credit you in our changelog if you want credit.

See also our compliance page for certification status and roadmap.