> ## Documentation Index
> Fetch the complete documentation index at: https://docs.carelane.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Security

> How your data is protected in Carelane

Data security encompasses the measures and controls that protect your clinical research data from unauthorized access, modification, or loss.

## Data Protection Measures

### Encryption

| Type           | Implementation                     |
| -------------- | ---------------------------------- |
| **In Transit** | TLS 1.2+ for all connections       |
| **At Rest**    | AES-256 encryption for stored data |
| **Database**   | Encrypted database storage         |
| **Backups**    | Encrypted backup storage           |

### Access Controls

| Control                | Purpose                 |
| ---------------------- | ----------------------- |
| **Authentication**     | Verify user identity    |
| **Authorization**      | Control resource access |
| **Role-Based Access**  | Permission by role      |
| **Session Management** | Secure session handling |

## Authentication

### Login Security

| Feature                   | Description                       |
| ------------------------- | --------------------------------- |
| **Password Requirements** | Strong password policies          |
| **SSO Support**           | Google, Microsoft integration     |
| **Session Timeout**       | Automatic logout after inactivity |

### Multi-Factor Authentication

When available:

* Additional verification step via an authenticator app (TOTP)
* **Backup recovery codes** generated at enrolment — store these safely; each code works once and lets you sign in if you lose access to your authenticator
* Reduces unauthorised-access risk

Recovery codes can be downloaded as a file or copied from the MFA setup screen. When you use one, it is consumed and an entry appears in your audit trail.

<Note>
  If you enabled MFA before backup codes were introduced, re-enrol from your user profile to generate a recovery code.
</Note>

## Data Storage

### Cloud Infrastructure

Carelane uses enterprise cloud services:

| Aspect         | Implementation              |
| -------------- | --------------------------- |
| **Provider**   | Enterprise-grade cloud      |
| **Regions**    | Configurable data residency |
| **Redundancy** | Multiple availability zones |
| **Backups**    | Regular automated backups   |

### Data Isolation

| Level            | Isolation                           |
| ---------------- | ----------------------------------- |
| **Organization** | Separate data contexts              |
| **Study**        | Study-specific access               |
| **PHI**          | Special handling for sensitive data |

## PHI Handling

Protected Health Information receives special treatment:

| Measure            | Purpose                       |
| ------------------ | ----------------------------- |
| **Access Logging** | Track all PHI access          |
| **Minimisation**   | Collect only needed PHI       |
| **Encryption**     | Additional encryption for PHI |
| **Access Control** | Strict role requirements      |

### Reduced PHI Requests by Default

The participant enrolment form now requests fewer PHI fields by default. Essential fields (such as pseudonym and the study-configured status) remain pre-populated; optional PHI fields — for example subject name, medical record number, full date of birth, or subject initials — must be explicitly enabled per study.

This supports data-minimisation requirements and reduces the compliance footprint of new studies.

<Warning>
  Only enable PHI fields that are necessary for your study. Once PHI data is collected, retention and access rules apply even if the field is later disabled.
</Warning>

## Data Integrity

Measures to ensure data integrity:

| Measure             | How It Works            |
| ------------------- | ----------------------- |
| **Audit Trails**    | Complete change history |
| **Version Control** | Track all modifications |
| **Validation**      | Prevent invalid data    |
| **Checksums**       | Detect data corruption  |

## Incident Response

If a security incident occurs:

<Steps>
  <Step title="Detect">
    Automated monitoring detects issues.
  </Step>

  <Step title="Contain">
    Immediate containment actions.
  </Step>

  <Step title="Assess">
    Evaluate scope and impact.
  </Step>

  <Step title="Notify">
    Notify affected parties as required.
  </Step>

  <Step title="Remediate">
    Fix the underlying issue.
  </Step>
</Steps>

## Your Role in Data Security

| Action                      | Importance              |
| --------------------------- | ----------------------- |
| **Strong Passwords**        | First line of defense   |
| **Don't Share Credentials** | Maintain accountability |
| **Report Concerns**         | Early detection         |
| **Follow Policies**         | Consistent protection   |

## Best Practices

<AccordionGroup>
  <Accordion title="Secure Your Account">
    Use strong, unique passwords. Enable MFA if available.
  </Accordion>

  <Accordion title="Limit PHI Collection">
    Only enable PHI fields you actually need.
  </Accordion>

  <Accordion title="Secure Exports">
    Protect exported files appropriately.
  </Accordion>

  <Accordion title="Report Issues">
    Report any security concerns immediately.
  </Accordion>
</AccordionGroup>

## Related

<CardGroup cols={2}>
  <Card title="Access Control" icon="lock" href="/security-compliance/access-control">
    Managing access permissions.
  </Card>

  <Card title="Audit Trails" icon="clock-rotate-left" href="/security-compliance/audit-trails">
    Activity logging.
  </Card>
</CardGroup>
