Trust & Security

Compliance & Certifications

Encryption

All data is encrypted in transit and at rest:

• In transit: TLS 1.3 for all data transmitted between Curo systems, customer systems, EMR integrations, and end users.
• At rest: AES-256 encryption for all stored data, including voice recordings, call transcripts, patient records, and account data.
• Key management: Encryption keys are managed through a dedicated key management service with automatic key rotation.

Infrastructure

• Curo's platform is hosted in SOC 2 and ISO 27001 certified data centers located in the United States.
• All customer data is processed and stored within the United States.
• Production environments are logically isolated from development and staging environments.
• Customer data is logically isolated — no customer can access another customer's data.
• Infrastructure is monitored 24/7 with automated alerting and escalation.

Access Controls

• Role-based access control (RBAC): All access to customer data and PHI is restricted to authorized personnel on a least-privilege basis.
• Multi-factor authentication (MFA): Required for all internal systems, production infrastructure, and administrative dashboards.
• Just-in-time access: Elevated access to production systems requires approval and is time-limited.
• Single sign-on (SSO): Available for customer dashboard access via SAML 2.0.

Voice Data Protection

Voice data is the core of Curo's platform. We treat every call recording and transcript as PHI by default:

• Voice recordings and transcripts are encrypted using TLS 1.3 in transit and AES-256 at rest.
• Access to recordings is restricted to the customer's Authorized Users through the Curo dashboard and to authorized Curo personnel on a role-based basis.
• Default retention is 90 days, configurable per customer. Customers may request deletion at any time.
• Curo does not use customer voice recordings, call transcripts, or PHI to train generalized AI models. Customer data is logically isolated and used solely to provide services to that customer.

Monitoring & Incident Response

• Continuous monitoring: Automated security monitoring, intrusion detection, and anomaly detection across all production systems.
• Logging: Immutable audit logs capture all access to customer data and PHI, including who accessed what, when, and from where.
• Incident response: Curo maintains a documented incident response plan. In the event of a security incident involving PHI, Curo notifies the affected customer within 48 hours of discovery, consistent with HIPAA breach notification requirements.
• Vulnerability management: Regular vulnerability scans and penetration testing conducted by internal teams and independent third parties.

Workforce Security

• All Curo employees and contractors undergo background checks prior to accessing customer data or PHI.
• Security and privacy training is completed upon hire and annually thereafter.
• Employees with access to PHI are bound by confidentiality agreements.
• Access is revoked immediately upon termination or role change.

Vendor & Subprocessor Security

Curo evaluates all third-party vendors and subprocessors for security and compliance before onboarding:

• All subprocessors that handle PHI are required to execute a BAA with Curo.
• Subprocessors are reviewed for SOC 2, ISO 27001, or equivalent certifications.
• A list of current subprocessor categories is available in our Privacy Policy. A list of specific subprocessors is available upon request.

Penetration Testing

Curo engages independent third-party security firms to conduct penetration testing at least annually. Testing covers:

• External network and application penetration testing
• API security testing
• Social engineering assessments (where applicable)
• A summary of findings and remediation is available under NDA upon request.

Business Continuity & Disaster Recovery

• Automated backups are performed daily and stored in geographically separate, encrypted storage.
• Recovery time objective (RTO): 4 hours.
• Recovery point objective (RPO): 1 hour.
• Business continuity and disaster recovery plans are tested at least annually.

Your Responsibilities

Security is a shared responsibility. As a Curo customer, you are responsible for:

• Managing Authorized User accounts and access permissions.
• Maintaining the security of EMR credentials provided to Curo.
• Complying with applicable call recording consent laws.
• Providing required patient notices and obtaining required consents.
• Reviewing AI-generated outputs (appointment bookings, transcripts) for accuracy.