← Back to Home
Business Associate AgreementPrivacy PolicyTerms of ServiceHIPAA NoticeSecurity Practices

Security Practices

Protecting your patients' data is our top priority. Here's how we do it.

Encryption at Rest

All Protected Health Information (PHI) is encrypted using AES-256-GCM with unique initialization vectors per record. Encryption keys are stored separately from the data.

Encryption in Transit

All communications between your device and our servers use TLS 1.2+ with HSTS preloading. HTTP connections are automatically redirected to HTTPS.

Access Controls

Role-Based Access Control (RBAC) ensures minimum necessary access. Owners, admins, therapists, and clients each have precisely scoped permissions.

Audit Logging

Every access to PHI is logged with who, what, when, and where. Audit logs are retained for 6 years per HIPAA requirements and are exportable as CSV.

Auto-Logout

Sessions automatically expire after configurable inactivity (default: 15 minutes). A 60-second warning allows users to extend their session.

Multi-Factor Authentication

Support for multi-factor authentication adds a critical layer of defense against credential theft and unauthorized access.

Infrastructure Security

Hosted on SOC 2 compliant cloud infrastructure with network isolation, automated backups, and high availability across multiple regions.

BAA Available

We execute Business Associate Agreements (BAAs) with all customers and maintain BAAs with our infrastructure providers including Stripe and hosting providers.

Incident Response

Our incident response plan includes detection, containment, eradication, recovery, and notification. Breach notifications issued within 60 days per HIPAA.

Data Residency

US organizations' data is processed and stored in the United States. India organizations' data is processed in compliance with DPDPA 2023.

Vendor Security

We maintain Business Associate Agreements with all subprocessors that may access PHI:

ProviderPurposeBAA StatusCompliance
StripePayment Processing (US)SignedPCI-DSS Level 1, SOC 2
Cloud HostingInfrastructureSignedSOC 2 Type II, ISO 27001
Email ProviderTransactional EmailSignedSOC 2
Daily.coTelehealth VideoSignedHIPAA Compliant

Security Certifications

Our platform implements controls aligned with:

  • HIPAA Security Rule (45 CFR Part 164)
  • HIPAA Privacy Rule (45 CFR Part 164)
  • HITECH Act Breach Notification Rule
  • NIST Cybersecurity Framework
  • OWASP Top 10 Application Security

Responsible Disclosure

If you discover a security vulnerability in our platform, please report it responsibly:

  • Email: security@psychiartist.com
  • Do not publicly disclose the vulnerability until we have addressed it
  • Provide sufficient detail to reproduce the issue
  • We commit to acknowledging reports within 48 hours