HIPAAtherapy / Security
Trust Center
Your clients trust you with sensitive information. We take that responsibility seriously - here's how we protect your practice data.
Security Controls
Encryption & Data Protection
Data is encrypted at rest and in transit.
- – Encryption at rest for database and persistent storage
- – TLS 1.2+ for traffic between your browser and our servers
- – Application database field-level encryption for sensitive fields
- – Encrypted backups with strict access controls
Authentication
Secure sign-in with multi-factor authentication and passkey support.
- – Passkey-based two-factor authentication (Touch ID, Face ID, security keys)
- – bcrypt password hashing with per-user salts
- – Authentication events are logged
Access Control
Fine-grained permissions ensure users only see what they're authorized to see.
- – Role-based access with supervision-aware permissions
- – Account-scoped data isolation between organizations
Audit Logging
Comprehensive logging for accountability and compliance reporting.
- – Immutable audit trail for clinical record access and changes
- – Login history with IP addresses and device info
- – Sensitive data (PHI) automatically filtered from application logs
Infrastructure
Healthcare-focused hosting with redundancy, monitoring, and regular security maintenance.
- – Hosted on Fly.io infrastructure with primary region in IAD (US)
- – Encryption at rest and in transit at the infrastructure layer
- – Automated health checks with continuous uptime monitoring
- – Recurring internal security reviews with external penetration testing planned
Payment Security
Payment processing handled by PCI-compliant providers - we never store card numbers.
- – Stripe handles all payment processing (PCI DSS Level 1)
- – No credit card numbers ever touch our servers
- – Tokenized payment methods and billing handled by Stripe
Compliance & Legal
The paperwork side of trust - agreements and policies that back up our technical controls.
Business Associate Agreement
We sign a BAA with every customer. It's built into our onboarding - no hoops to jump through.
Read our BAAPrivacy Policy
Plain-language explanation of what data we collect, how we use it, and your rights as a user.
Read our Privacy PolicyHIPAA Compliance
HIPAAtherapy implements administrative, physical, and technical safeguards required by the HIPAA Security Rule.
Data Ownership
Your Data, Your Rules
We're processors, not owners. Here's what that means in practice.
- – You own your data - we're processors, not owners
- – Full account deletion and partial record deletion available on request
- – Backups containing deleted data are purged within 5 days
- – PDF note exports are available in-app; full practice/client CSV exports are available on request
- – Sensitive clinical data is automatically filtered from application logs
- – We never sell, share, or monetize your clinical data
Frequently Asked
Questions
Yes. We implement administrative, physical, and technical safeguards aligned with the HIPAA Security Rule, including encryption at rest and in transit, role-based access controls, audit logging, and Business Associate Agreements.
Yes. We sign a BAA with every customer as part of onboarding. You can review our standard BAA on our website, and it's executed electronically when you create your account.
HIPAAtherapy is hosted on Fly.io with our primary region in IAD (United States). Data is encrypted at rest and all connections use TLS in transit.
Yes. Notes can be exported as PDF in-app. Full practice/client exports are available on request in structured CSV format.
When you delete a record, it's removed from the live database immediately. Full account deletion is also available on request.
Yes. We support passkey-based two-factor authentication using Touch ID, Face ID, or hardware security keys. You can enable it from your profile settings. Learn more in our 2FA documentation.
All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. Credit card numbers never touch our servers - they're tokenized and stored securely by Stripe.
Yes. We run recurring internal security reviews and vulnerability checks, and we keep dependencies up to date. External penetration testing is planned.
Questions about how we handle data, or need documentation for a compliance review?
Get in touch →