Capra Health — capra+
Book a demo

Security

Last updated: June 8, 2026

Our Approach to Security

Security is foundational to how we build and operate the capra+ platform. Because we work with healthcare organisations and the sensitive information they manage, we design our systems with a defence-in-depth philosophy: multiple, independent layers of protection so that no single control is a point of failure. This page describes the practices we follow. It speaks to how we operate rather than to any specific attestation, and our security programme continues to evolve as standards and threats change.

Data Encryption

We protect data both while it moves across networks and while it is stored at rest.

  • In transit: connections to our services are encrypted using current versions of the TLS protocol, and we apply HTTP Strict Transport Security so that browsers connect only over secure channels.
  • At rest: data stored in our infrastructure is encrypted using strong, industry-standard algorithms, with cryptographic keys managed through our cloud provider’s key-management services.

Access Controls & Authentication

Access to systems and data is governed by the principle of least privilege: individuals and services are granted only the permissions they need to perform their function, and nothing more.

  • Role-based access control: permissions are assigned through defined roles rather than to individuals directly, making access easier to review and revoke.
  • Strong authentication: administrative and privileged access requires multi-factor authentication.
  • Periodic review: access rights are reviewed regularly and removed promptly when no longer required, such as when a team member changes role or departs.

Infrastructure & Network Security

Our services run on established cloud infrastructure that maintains its own rigorous physical and environmental security controls. We isolate workloads using network segmentation, restrict inbound and outbound traffic through firewalls and security groups, and limit the exposure of internal systems to the public internet. Production environments are separated from development and testing environments.

Monitoring & Logging

We maintain logging and monitoring across our infrastructure and applications to detect anomalous or unauthorised activity. Security-relevant events are recorded, retained for an appropriate period, and reviewed so that we can investigate incidents and respond in a timely manner.

Vulnerability Management & Patching

We work to identify and remediate vulnerabilities before they can be exploited. Our practices include keeping operating systems, dependencies, and libraries up to date, applying security patches on a risk-prioritised basis, and using automated tooling to flag known vulnerabilities in our software supply chain. Significant changes are reviewed before they reach production.

Data Backup & Resilience

We perform regular backups of critical data and design our systems for resilience and recoverability. Backups are protected with the same care as production data, and we maintain processes intended to restore service and data in the event of a disruption.

Responsible Disclosure

We value the work of the security research community. If you believe you have discovered a security vulnerability in our website or services, we encourage you to report it to us so that we can investigate and address it. Please email info@capra.health with the details needed to reproduce the issue. We ask that you give us a reasonable opportunity to remediate before any public disclosure, and that you avoid accessing or modifying data that is not your own while testing.

Contact

For any questions about our security practices, please contact us at:

Capra Health, Inc.
Email: info@capra.health