Psych Today Screener
Log inStart free trial

Security & HIPAA

We're a Business Associate under HIPAA. We sign a BAA with every customer, and we run a BAA chain through every vendor that touches your data. This page describes how that works in plain language.

Encryption

Every prospective-client email body and extracted intake field is encrypted at rest with per-tenant envelope encryption. Your practice has its own data encryption key (DEK), wrapped by an AWS KMS master key. If we crypto-shred your DEK, your ciphertext is unrecoverable — even by us.

All transport is TLS 1.2+. Outbound mail is sent via SES with TLS-required policy.

Audit logs

Every PHI access — view, export, decrypt, auto-reply, digest — writes a row to an append-only audit log. Owners can view their tenant's log at /audit. Retained for six years.

Subprocessors

The vendors that touch PHI on your behalf, all under signed BAAs:

  • AWS (RDS, S3, SES, KMS, CloudWatch) — hosting, database, mail send, key management, logs.
  • Anthropic — the LLM that extracts intake fields and detects crisis signals.
  • Vercel — Next.js hosting.
  • Inngest — durable background jobs.

See the full list at /legal/subprocessors, which we update whenever the chain changes.

What we do NOT do

  • We do not log email bodies, client names, or any extracted clinical content.
  • We do not load third-party analytics (no Google Analytics, no Mixpanel) on any authenticated page.
  • We do not share data with our other customers, ever.
  • We do not train AI models on your data.

Breach response

If your PHI is acquired without authorization, we'll notify you within 24 hours so you can meet your own 60-day Covered Entity notification window. The full runbook is in your BAA.

BAA

We sign a BAA with every customer at signup. Download a draft at /legal/baa to review before you sign up.