Skip to main content
Procurement-diligence portal

Trust Portal

Every certification, BAA, and subprocessor CaraLoom relies on — updated within 7 days of any change. If a row says “scheduled,” it means the date is real and the engagement is funded. We don’t claim what we don’t have.

Need the audit-ready vendor packet? Email trust@caraloom.com — we send the SBOM, network diagram, and pen-test summary on request.

Live BAA chain
12
Subprocessors
10
BAAs signed
8
PHI-touching
Last reviewed Feb 24, 2026
100.00% uptime · last 30 daysEnterprise SLA target 99.95%
Certifications & posture

Where we are, where we’re going

SOC 2 Type 1

Audit engaged

Security, availability, confidentiality, processing integrity, privacy.

Vendor selected (Vanta). 4–6 month timeline. Report expected in production calendar Q2 2026.

SOC 2 Type 2

Q4 2026

Operational effectiveness of SOC 2 controls over a 6–12 month window.

Begins immediately after Type 1 attestation closes.

HITRUST CSF

Q1 2027

Healthcare-specific control framework required by enterprise hospital + payer procurement.

12–18 month engagement. Required for first payer contract; not required for provider SaaS.

HIPAA Posture

Operational

Administrative, physical, and technical safeguards under 45 CFR § 164.

PHI minimization, audit trails, encryption at rest + in transit, role-based access. BAAs in place with every subprocessor that touches PHI.

How we think about data

Four principles, no asterisks

PHI by exception, not default

Every internal service receives the minimum PHI required to do its job. Email bodies are scrubbed before send. Audit rows record every read of a patient record.

Encryption everywhere

TLS 1.2+ in transit, AES-256 at rest. Database backups are encrypted with customer-managed keys.

Row-level multi-tenancy

Every collection is scoped by organization_id. Penetration-tested. No cross-tenant query path exists in code.

BAA chain transparency

The subprocessor table below is the single source of truth — updated within 7 days of any new vendor onboarding.

Subprocessor list

Every vendor that may receive CaraLoom data

We sign a BAA with every subprocessor that may receive PHI. We don’t sign a BAA with vendors who only handle billing identifiers or non-PHI data — but they’re listed here anyway so procurement teams can audit the full chain.

VendorPurposeRegionBAATouches PHI?
MongoDB AtlasPrimary application databaseus-east (AWS)YesYes
Amazon Web ServicesCompute, networking, object storageus-east-1YesYes
Google Vertex AILLM inference (Healthcare API tier)us-central1YesYes
Anthropic (via Bedrock)Claude inference for clinical surfacesus-east-1Yes (Bedrock)Yes
OpenAI (via Azure)GPT inference for clinical surfacesEast USYes (Azure)Yes
StripePayments + Stripe Connect payoutsUSN/A — no PHINo (financial only)
ResendTransactional email (de-identified bodies)USN/A — no PHINo (PHI scrubbed before send)
TwilioSMS + voice notificationsUSYesMinimal (initials + appointment link)
Daily.coTelehealth video infrastructureUSYesYes (ephemeral)
StediEDI 837P/835 clearinghouseUSYesYes
CheckrBackground screening of cliniciansUSYesNo (clinician PII, not patient PHI)
Availity / CAQH ProViewCredentialing roster + payer enrollmentUSYesNo (clinician credentials)

Last reviewed: Feb 24, 2026. Customers under contract receive a 30-day advance email when a new subprocessor is added.

Have a question?

We answer procurement RFPs within 48 hours.

Why this page is dull

You won’t find a “Trusted by 200+ enterprises” badge on this page because we aren’t there yet. CaraLoom is early. What we do have is an honest BAA chain, a funded SOC 2 engagement, and an audit-ready vendor packet you can stress-test today. If we mislead procurement now, we lose the renewal in year two.

CaraLoom

Care, woven into one continuous thread. From discharge to accepted placement to first visit — one record, one promise.

care@caraloom.com

Chantilly, VA 20151 · Serving providers nationwide

HIPAA-ready End-to-end encrypted Background-checked

CaraLoom is a technology marketplace, not a direct care provider. Clinicians are independent licensed professionals. We verify identity and licenses at onboarding and monitor them on an ongoing basis; because no screening is exhaustive, use your judgment when choosing care. See our Trust & Safety page.

A marketplace, not a care provider

CaraLoom is a technology marketplace and care-coordination platform — not a healthcare provider, staffing agency, or employer of clinicians. Clinicians are independent, licensed professionals who run their own practices. Bookings, rates, and care plans are agreements made directly between families and clinicians.

Payments & settlement

CaraLoom is a software platform and not a bank, escrow agent, or money transmitter. We utilize third-party payment processors (Stripe and Stripe Connect) to facilitate direct clinician-to-family transactions based on verified service-delivery milestones. Funds are secured up-front at booking and scheduled for payout once the clinician signs the clinical visit log.

Profiles & verification

Profiles, reviews, and messages are created by our users. We verify each clinician's identity and license at onboarding and monitor license status on an ongoing basis. No screening is ever exhaustive, so we encourage families to interview clinicians and use their own judgment when choosing care. See what we check on our Trust & Safety page.

AI guidance

Cara and other AI features are informational and are not a substitute for professional medical advice, diagnosis, or treatment. Please talk to your physician or another qualified provider about any medical question.

Emergencies

If you are experiencing a medical emergency, call 911.

Promotions & marks

Promotional offers and referral rewards are subject to their stated terms and may change. CaraLoom℠ and “Care that comes home to you.” are service marks of CaraLoom, Inc. © 2026 CaraLoom, Inc. Your use of this site is subject to our Terms of Service and Privacy Policy.

© 2026 CaraLoom, Inc. All rights reserved. Care, woven into one continuous thread.

Get started

Install CaraLoom

Add to your home screen for one-tap access.