Security Overview

We apply security-by-design principles, including least privilege, separation of duties, change management, and documented access controls. We perform periodic risk assessments, manage vulnerabilities with tracked remediation, conduct vendor due diligence with written data processing terms, and require employee security training, device protections (full-disk encryption, screen locks), and regular access reviews.

Secure development: we separate environments (prod/non-prod), review code that impacts security or privacy, manage secrets, scan dependencies, and track remediation of findings from automated tools and third-party reports.

We host on DigitalOcean (Singapore) with network segmentation, firewalls, routine patching, and monitoring for availability, performance, and anomalous activity. All public endpoints use HTTPS/TLS; data at rest (including backups) is encrypted. Backups follow tested restoration procedures with limited retention.

Production access is restricted to authorized personnel using SSO/MFA with logged administrative actions. We apply hardening baselines and regularly review cloud configurations.

We use hashed credentials and secure session management, enforce controls against common vulnerabilities (injection, XSS, CSRF), apply role-based access controls for internal and production operations with administrative logging, and review code and infrastructure changes that affect security posture.

Authentication: user passwords (where used) are hashed with industry-standard algorithms; MFA support is being evaluated. Session tokens are scoped and protected; rate limiting is applied to sensitive endpoints.

We use OpenAI to generate informational summaries. Personal data sent to OpenAI is transmitted over TLS, handled under data processing terms, and not used to train public models. Outputs are informational only and not medical advice. We log limited metadata to monitor reliability and abuse; see the Privacy Policy for details.

We monitor critical systems with alerting and runbooks. Incident response covers detection, triage, containment, eradication, recovery, and retrospective review. We will notify customers and regulators where legally required and reserve discretion on public disclosure consistent with law. Post-incident corrective actions are tracked to closure.

We maintain documented backup, restore, and disaster recovery procedures with periodic testing. Infrastructure redundancy includes defined failover paths. We monitor capacity and performance to maintain availability targets but do not guarantee uninterrupted service.

Business continuity plans prioritize data integrity and core functionality. Recovery time and recovery point objectives are tested and refined over time.

We engage subprocessors under written data protection terms. Core providers include DigitalOcean (hosting, networking, backups), OpenAI (AI-powered summaries; prompts and outputs), email and support providers (transactional email and support conversations), and analytics providers (product analytics and performance; no advertising profiles). We review subprocessors periodically, conduct risk-based due diligence, and update them as needed to operate the Services safely.

If you believe you have found a security issue, email legal@umicare.co with details and steps to reproduce. Do not publicly disclose the issue until we confirm remediation. We will acknowledge receipt, investigate, and respond within a reasonable period. At this time we do not offer a public bug bounty program.

Email: legal@umicare.co
Company: Umami Labs Limited

Last updated: 2026-01-06