Compliance
How PsycSuit Protects Your Client Data
A transparent account of how PsycSuit handles clinic data — data isolation, encryption, BAA and DPA at activation, role-based access, audit trails, hosting regions, AI data handling, and the SOC 2 and ISO 27001 roadmap.
Updated June 27, 2026 · 7 min read
Mental health records are among the most sensitive data a clinic can hold. A session note describes a client's inner life. A diagnosis carries stigma. An invoice reveals that someone sought care. Protecting this data is not a feature — it is a foundational obligation.
This page explains exactly how PsycSuit handles your clinic's data: where it lives, who can access it, how it is encrypted, what happens if something goes wrong, and what we are working toward on our compliance roadmap.
Your data belongs to your practice. Always.
PsycSuit processes your clinic's data on your behalf. We act as your Business Associate (US / HIPAA) or Data Processor (EU & UK / GDPR). We do not sell your data, share it with third parties for advertising, or use it to train AI models. Your client records, notes, invoices, and communications are yours — and you can export or delete them.
Data isolation — one practice, one silo
Every clinic that activates on PsycSuit gets a logically isolated data environment. There are no shared tables between practices. A query from Clinic A cannot return data belonging to Clinic B — even accidentally. This is enforced at the database query level, not just at the application layer.
This matters for multi-site group practices too: sub-locations within your practice share your data environment, but other practices on PsycSuit cannot see or access your records under any circumstances.
Encryption — in transit and at rest
- In transit: All data between your browser (or the client portal) and PsycSuit servers is encrypted using TLS 1.2 or higher. This applies to clinical notes, portal messages, intake forms, and video session signalling.
- At rest: Databases and file storage are encrypted using AES-256. Backups are encrypted with the same standard.
- No PHI in URLs: Patient identifiers and session data are never passed in URL query strings or written to application logs.
BAA and DPA — signed at activation, not on request
When your clinic activates on PsycSuit, you automatically receive:
- A Business Associate Agreement (BAA) — if you are a US clinic subject to HIPAA. This covers all PHI processed through the platform including notes, billing records, portal data, and telehealth.
- A Data Processing Agreement (DPA) — if you are an EU or UK clinic subject to GDPR. This covers all personal data processed on your behalf, with data hosted in your chosen region.
You do not need to request these separately or wait for a compliance team. They are part of your activation, not an add-on.
Access controls — role-based from day one
Not everyone in your practice needs to see everything. PsycSuit enforces role-based access control (RBAC) across the platform:
- Clinicians see their own clients' records and notes
- Admins manage scheduling, billing, and staff — with configurable access to clinical records
- Front desk can manage scheduling and intake without accessing clinical documentation
- Practice owners have full access across the practice
Unlimited admin and front desk seats are included at no extra cost — so there is no incentive to share clinician credentials to avoid paying for more seats.
Audit trail — every access logged
PsycSuit maintains an immutable audit log of every read, write, and delete action on clinical records and billing data. Each log entry captures:
- The user who performed the action
- The timestamp (UTC)
- The record type and identifier affected
- The action taken (view, create, edit, sign, delete)
Audit logs cannot be edited or deleted by clinic administrators. They are available to your practice owner for compliance review and incident investigation.
Data hosting regions
You choose your hosting region at activation:
- United States — for US HIPAA-covered clinics
- European Union — for EU GDPR clinics. Data stays within the EEA.
- United Kingdom — for UK GDPR clinics. Data stays within the UK.
- Asia-Pacific — for APAC clinics.
Data is not transferred between regions without your explicit consent and a valid legal mechanism. EU and UK clients' data never touches US infrastructure by default.
The client portal — safer than email
The PsycSuit client portal keeps client communications inside an authenticated, encrypted, audited system. Clients log in with their own credentials — they do not receive session notes or invoices via plain email. This protects against:
- Emails forwarded to unintended recipients
- PHI exposed in someone else's inbox
- Attachments opened on shared or unmanaged devices
- No audit trail of who received and read what
Intake forms, consent documents, and appointment confirmations all flow through the portal — creating a documented, time-stamped record of what was sent and accepted.
AI documentation — opt-in, with clear data handling
PsycSuit's AI note assist and session transcription are optional add-ons. They are not enabled by default. When you or your clinicians use AI features:
- Client consent for recording/transcription is your clinical and legal responsibility — PsycSuit does not obtain this consent on your behalf
- Audio processed for transcription is not retained after the transcript is generated
- AI-generated note drafts are reviewed and signed by the clinician — they do not enter the record automatically
- AI sub-processors are named in our sub-processor list and bound by data processing agreements
Breach notification — what we commit to
In the event of a confirmed data breach affecting your clinic:
- US / HIPAA: We notify your practice within 24 hours of confirmation, giving you time to meet your 60-day HHS reporting obligation
- EU GDPR: We notify your practice within 24 hours, giving you time to report to your national supervisory authority within 72 hours
- UK GDPR: Same — we notify within 24 hours ahead of your 72-hour ICO obligation
What we are working toward
- SOC 2 Type II — currently in the evidence-collection phase. SOC 2 Type II audits the operational effectiveness of our security controls over a 6-month observation window. Enterprise customers can contact us to be notified when the report is available.
- ISO 27001 — on our roadmap following SOC 2 Type II. Particularly relevant for Asia-Pacific enterprise customers.
We are transparent about where we are in this journey. Claiming certifications we have not yet completed would be a disservice to the clinics trusting us with their clients' data.
Questions about our security posture?
Enterprise practices, group practice networks, and procurement teams can contact our team to receive our security posture documentation, sub-processor list, and answers to specific compliance questions. We are happy to arrange a call.
FAQ
- Is PsycSuit HIPAA compliant?
- Yes — PsycSuit signs a Business Associate Agreement at clinic activation, encrypts all PHI in transit and at rest, and maintains a full audit trail.
- Is PsycSuit GDPR compliant?
- Yes — EU and UK clinics receive a Data Processing Agreement at activation. Data is hosted within your chosen region and never transferred cross-border by default.
- Is PsycSuit SOC 2 certified?
- SOC 2 Type II is currently in progress. Enterprise customers can contact us to be notified when the report is available.
Try PsycSuit in your practice
Scheduling, clinical notes, PHQ-9 & GAD-7, billing, client portal, and telehealth in one Practice OS. 1-month free trial starts when you activate your clinic — no card required to sign up.