Prepay 3 months — $12/seat/mo

See offer
PsycSuit

Security & Compliance

Built for clinics that can't afford a breach.

HIPAA, EU GDPR, and UK GDPR compliant. BAA and DPA signed automatically when your clinic activates. Data isolated per practice, encrypted in transit and at rest, with a full audit trail on every record. Built by a psychologist who understands what's at stake.

HIPAA Compliant

BAA signed at activation

EU GDPR Compliant

DPA signed at activation

UK GDPR Compliant

DPA signed at activation

SOC 2 Type II

Audit in progress

ISO 27001

On roadmap — 2027

HITECH

Breach notification covered

United States

HIPAA & BAA

PsycSuit acts as your Business Associate for all protected health information (PHI) processed through the platform. Your Business Associate Agreement (BAA) is signed automatically when your clinic activates — no paperwork chase.

  • BAA signed at clinic activation — not on request
  • PHI encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access limited to authenticated, role-based staff
  • Full audit log on every PHI access and change
  • Breach notification process per HITECH 60-day rule
  • Minimum necessary access enforced across the platform

EU & UK

GDPR & DPA

For clinics in the European Union and United Kingdom, PsycSuit acts as your Data Processor. Your Data Processing Agreement (DPA) is signed automatically at activation, covering all personal data processed on behalf of your practice.

  • DPA signed at clinic activation for EU and UK clinics
  • Data hosted within your chosen region (EU / UK infrastructure)
  • Data subject rights supported: access, rectification, erasure
  • Lawful basis for processing documented per regulation
  • Breach notification within 72 hours per GDPR Article 33
  • Subprocessor list maintained and available on request

Data residency

Your data stays in your region.

Choose where your clinic data is hosted at activation. Data is never transferred between regions without explicit consent and a valid transfer mechanism.

🇺🇸

United States

US-based infrastructure

HIPAA · HITECH

🇪🇺

European Union

EU-based infrastructure

EU GDPR

🇬🇧

United Kingdom

UK-based infrastructure

UK GDPR

🌏

Asia-Pacific

APAC-based infrastructure

Regional privacy law

Technical controls

Security built into every layer.

Encryption everywhere

All data encrypted in transit using TLS 1.2+ and at rest using AES-256. Encryption applies to database records, file storage, and backups.

Data isolation per practice

Every clinic's data is logically isolated. No shared tables across practices. One clinic's data can never be accessed by another.

Role-based access control

Staff permissions scoped to their role — clinician, admin, front desk, or owner. No over-provisioned access. Audit trail on every change.

Full audit trail

Every read, write, and delete on clinical records and billing data is logged with timestamp, user, and action. Immutable for compliance reviews.

Secure client portal

Client authentication is separate from staff authentication. Portal access is scoped to the individual client's own records only.

No PHI in URLs or logs

Patient identifiers are never passed in query strings or written to application logs. Error monitoring receives sanitised, non-PHI payloads.

Certifications

SOC 2 & ISO 27001 roadmap.

We are transparent about where we are in the certification journey.

In Progress

SOC 2 Type II

SOC 2 Type II audits the effectiveness of security controls over a minimum 6-month observation period. We are currently in the evidence-collection phase. The audit covers Security, Availability, and Confidentiality trust service criteria.

Enterprise and group practice customers requiring a SOC 2 report can contact us to be notified when the report is available.

Roadmap — 2027

ISO 27001

ISO 27001 is the international standard for information security management systems (ISMS). It is particularly valued by clinics operating in Asia-Pacific markets and larger enterprise group practices. We plan to pursue ISO 27001 certification following successful SOC 2 Type II completion.

Contact us if ISO 27001 is a procurement requirement for your organisation.

Subprocessors

Who processes your data.

PsycSuit uses a limited set of sub-processors. All are bound by data processing agreements and assessed for security posture before use. Optional add-ons (AI, video, SMS) only involve their respective sub-processors when those features are enabled by your clinic.

Sub-processor categoryPurpose
Cloud infrastructureCompute, storage, databases, and networking
Email deliveryTransactional and lifecycle emails to clinics and clients
AI documentationOptional AI note assist and session transcription (opt-in only)
Video telehealthOptional participant-minute-metered video sessions
SMS deliveryOptional appointment reminders (opt-in only)
Error monitoringApplication error tracking — no PHI transmitted

For a full sub-processor list including vendor names, contact us.

Breach notification

We notify you. Fast.

HIPAA / HITECH

60 days from discovery

We notify affected clinics and assist in notifying affected individuals and the US Department of Health and Human Services (HHS) within required timelines.

EU GDPR

72 hours to supervisory authority

We notify your clinic within 24 hours of confirmed breach so you can fulfil your 72-hour obligation to your national supervisory authority.

UK GDPR

72 hours to ICO

Same commitment as EU GDPR. We notify your clinic within 24 hours to give you time to report to the Information Commissioner's Office.

Security questions

Talk to our team.

Enterprise buyers, compliance officers, and procurement teams — we are happy to answer specific questions, share our security posture documentation, or arrange a call with our team.

Ready to simplify your practice?

Calendar, notes, billing, payroll, and client portal — in one workspace.

No card required to sign up. Your trial begins when you complete clinic activation; fixed platform billing starts when your agreement says so. Usage meters (video, SMS, AI) apply only when those features are used.