Security & Compliance
Built for clinics that can't afford a breach.
HIPAA, EU GDPR, and UK GDPR compliant. BAA and DPA signed automatically when your clinic activates. Data isolated per practice, encrypted in transit and at rest, with a full audit trail on every record. Built by a psychologist who understands what's at stake.
HIPAA Compliant
BAA signed at activation
EU GDPR Compliant
DPA signed at activation
UK GDPR Compliant
DPA signed at activation
SOC 2 Type II
Audit in progress
ISO 27001
On roadmap — 2027
HITECH
Breach notification covered
United States
HIPAA & BAA
PsycSuit acts as your Business Associate for all protected health information (PHI) processed through the platform. Your Business Associate Agreement (BAA) is signed automatically when your clinic activates — no paperwork chase.
- BAA signed at clinic activation — not on request
- PHI encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access limited to authenticated, role-based staff
- Full audit log on every PHI access and change
- Breach notification process per HITECH 60-day rule
- Minimum necessary access enforced across the platform
EU & UK
GDPR & DPA
For clinics in the European Union and United Kingdom, PsycSuit acts as your Data Processor. Your Data Processing Agreement (DPA) is signed automatically at activation, covering all personal data processed on behalf of your practice.
- DPA signed at clinic activation for EU and UK clinics
- Data hosted within your chosen region (EU / UK infrastructure)
- Data subject rights supported: access, rectification, erasure
- Lawful basis for processing documented per regulation
- Breach notification within 72 hours per GDPR Article 33
- Subprocessor list maintained and available on request
Data residency
Your data stays in your region.
Choose where your clinic data is hosted at activation. Data is never transferred between regions without explicit consent and a valid transfer mechanism.
🇺🇸
United States
US-based infrastructure
HIPAA · HITECH
🇪🇺
European Union
EU-based infrastructure
EU GDPR
🇬🇧
United Kingdom
UK-based infrastructure
UK GDPR
🌏
Asia-Pacific
APAC-based infrastructure
Regional privacy law
Technical controls
Security built into every layer.
Encryption everywhere
All data encrypted in transit using TLS 1.2+ and at rest using AES-256. Encryption applies to database records, file storage, and backups.
Data isolation per practice
Every clinic's data is logically isolated. No shared tables across practices. One clinic's data can never be accessed by another.
Role-based access control
Staff permissions scoped to their role — clinician, admin, front desk, or owner. No over-provisioned access. Audit trail on every change.
Full audit trail
Every read, write, and delete on clinical records and billing data is logged with timestamp, user, and action. Immutable for compliance reviews.
Secure client portal
Client authentication is separate from staff authentication. Portal access is scoped to the individual client's own records only.
No PHI in URLs or logs
Patient identifiers are never passed in query strings or written to application logs. Error monitoring receives sanitised, non-PHI payloads.
Certifications
SOC 2 & ISO 27001 roadmap.
We are transparent about where we are in the certification journey.
SOC 2 Type II
SOC 2 Type II audits the effectiveness of security controls over a minimum 6-month observation period. We are currently in the evidence-collection phase. The audit covers Security, Availability, and Confidentiality trust service criteria.
Enterprise and group practice customers requiring a SOC 2 report can contact us to be notified when the report is available.
ISO 27001
ISO 27001 is the international standard for information security management systems (ISMS). It is particularly valued by clinics operating in Asia-Pacific markets and larger enterprise group practices. We plan to pursue ISO 27001 certification following successful SOC 2 Type II completion.
Contact us if ISO 27001 is a procurement requirement for your organisation.
Subprocessors
Who processes your data.
PsycSuit uses a limited set of sub-processors. All are bound by data processing agreements and assessed for security posture before use. Optional add-ons (AI, video, SMS) only involve their respective sub-processors when those features are enabled by your clinic.
| Sub-processor category | Purpose |
|---|---|
| Cloud infrastructure | Compute, storage, databases, and networking |
| Email delivery | Transactional and lifecycle emails to clinics and clients |
| AI documentation | Optional AI note assist and session transcription (opt-in only) |
| Video telehealth | Optional participant-minute-metered video sessions |
| SMS delivery | Optional appointment reminders (opt-in only) |
| Error monitoring | Application error tracking — no PHI transmitted |
For a full sub-processor list including vendor names, contact us.
Breach notification
We notify you. Fast.
HIPAA / HITECH
60 days from discovery
We notify affected clinics and assist in notifying affected individuals and the US Department of Health and Human Services (HHS) within required timelines.
EU GDPR
72 hours to supervisory authority
We notify your clinic within 24 hours of confirmed breach so you can fulfil your 72-hour obligation to your national supervisory authority.
UK GDPR
72 hours to ICO
Same commitment as EU GDPR. We notify your clinic within 24 hours to give you time to report to the Information Commissioner's Office.
Security questions
Talk to our team.
Enterprise buyers, compliance officers, and procurement teams — we are happy to answer specific questions, share our security posture documentation, or arrange a call with our team.
Ready to simplify your practice?
Calendar, notes, billing, payroll, and client portal — in one workspace.
No card required to sign up. Your trial begins when you complete clinic activation; fixed platform billing starts when your agreement says so. Usage meters (video, SMS, AI) apply only when those features are used.