Every certification, BAA, and subprocessor CaraLoom relies on — updated within 7 days of any change. If a row says “scheduled,” it means the date is real and the engagement is funded. We don’t claim what we don’t have.
Need the audit-ready vendor packet? Email trust@caraloom.com — we send the SBOM, network diagram, and pen-test summary on request.
Security, availability, confidentiality, processing integrity, privacy.
Vendor selected (Vanta). 4–6 month timeline. Report expected in production calendar Q2 2026.
Operational effectiveness of SOC 2 controls over a 6–12 month window.
Begins immediately after Type 1 attestation closes.
Healthcare-specific control framework required by enterprise hospital + payer procurement.
12–18 month engagement. Required for first payer contract; not required for provider SaaS.
Administrative, physical, and technical safeguards under 45 CFR § 164.
PHI minimization, audit trails, encryption at rest + in transit, role-based access. BAAs in place with every subprocessor that touches PHI.
Every internal service receives the minimum PHI required to do its job. Email bodies are scrubbed before send. Audit rows record every read of a patient record.
TLS 1.2+ in transit, AES-256 at rest. Database backups are encrypted with customer-managed keys.
Every collection is scoped by organization_id. Penetration-tested. No cross-tenant query path exists in code.
The subprocessor table below is the single source of truth — updated within 7 days of any new vendor onboarding.
We sign a BAA with every subprocessor that may receive PHI. We don’t sign a BAA with vendors who only handle billing identifiers or non-PHI data — but they’re listed here anyway so procurement teams can audit the full chain.
| Vendor | Purpose | Region | BAA | Touches PHI? |
|---|---|---|---|---|
| MongoDB Atlas | Primary application database | us-east (AWS) | Yes | Yes |
| Amazon Web Services | Compute, networking, object storage | us-east-1 | Yes | Yes |
| Google Vertex AI | LLM inference (Healthcare API tier) | us-central1 | Yes | Yes |
| Anthropic (via Bedrock) | Claude inference for clinical surfaces | us-east-1 | Yes (Bedrock) | Yes |
| OpenAI (via Azure) | GPT inference for clinical surfaces | East US | Yes (Azure) | Yes |
| Stripe | Payments + Stripe Connect payouts | US | N/A — no PHI | No (financial only) |
| Resend | Transactional email (de-identified bodies) | US | N/A — no PHI | No (PHI scrubbed before send) |
| Twilio | SMS + voice notifications | US | Yes | Minimal (initials + appointment link) |
| Daily.co | Telehealth video infrastructure | US | Yes | Yes (ephemeral) |
| Stedi | EDI 837P/835 clearinghouse | US | Yes | Yes |
| Checkr | Background screening of clinicians | US | Yes | No (clinician PII, not patient PHI) |
| Availity / CAQH ProView | Credentialing roster + payer enrollment | US | Yes | No (clinician credentials) |
Last reviewed: Feb 24, 2026. Customers under contract receive a 30-day advance email when a new subprocessor is added.
You won’t find a “Trusted by 200+ enterprises” badge on this page because we aren’t there yet. CaraLoom is early. What we do have is an honest BAA chain, a funded SOC 2 engagement, and an audit-ready vendor packet you can stress-test today. If we mislead procurement now, we lose the renewal in year two.