We hold what they trusted you with — carefully.
Under HIPAA we're a Business Associate. We sign a Business Associate Agreement with every practice, and every vendor that helps us run things has signed one with us in turn. This page describes how that works, in plain language.
Each practice gets its own key.
Every email body and every detail we pull from it is locked up at rest with a key that belongs to your practice. No other tenant's key can open your records, and our master key can only unlock yours with your key present.
When you eventually leave us, we destroy your key — in a way that we ourselves can't undo. The encrypted records become permanently unreadable. Departure is one click in Settings.
All connections are encrypted in transit too. Outbound mail goes over TLS.
Every time we touch your data, we write it down.
When a record is read, written, sent in a digest, replied to, or exported, a row appears in your audit. You can see your own audit any time in Settings — what was touched, when, and by whom.
The audit contains only what happened — never the contents of an email, never a client's name, never any words they wrote. We keep the record for six years, the HIPAA Security Rule retention period.
Named, and named publicly.
No vendor ever sees your clients' words without a signed Business Associate Agreement — that's a launch gate, not an aspiration, and we publish exactly which signatures are in place rather than rounding up. The full, current list lives at /legal/subprocessors and changes whenever the people we work with change.
What we won't do — not now, not ever.
- Write any client’s words or name into a log we can read.
- Load behavioral or advertising trackers on pages where you’re signed in.
- Show your data to any other practice, ever.
- Use your clients’ words to train an AI — ours, Anthropic’s, or anyone’s.
- Add a vendor that might see private records without a BAA on file first.
- Send marketing email to your prospective clients.
You hear from us within 24 hours.
If your clients' records are ever accessed by someone who shouldn't have, we'll tell you within 24 hours — so you have time to meet your own 60-day notification window without scrambling.
We have a written response procedure with a named owner at every step: detect, contain, understand, notify, and learn. The plan is referenced in your BAA and we update it after every drill.
- T+0Detect: we see the alert or you tell us
- T+15mContain: isolate what’s affected, change keys
- T+1hUnderstand: who’s touched, what’s exposed
- T+24hTell you: an email to every affected practice, and a phone call if it’s urgent
- T+7dLearn: a written debrief — what happened, why, and what changes
Read the BAA before you sign up.
We'd rather you take time with the contract than trust a badge. Download a draft and read it over; we'll work with you on addenda if your state or board requires.