PsycSuit

Trust & security

A plain-language overview for clinicians and practice owners. PsycSuit provides secure software; your clinic remains responsible for professional and legal obligations in your country.

Practice OS for outpatient mental health practices

PsycSuit is the practice operating system for psychologists and therapy teams — scheduling, clinical notes, billing, secure video, and client portal. It is not for hospital emergency care, crisis hotlines, or use as a medical device.

If you practice in the US, Europe, or Asia-Pacific

PsycSuit serves private outpatient clinics around the world. The rules that apply to you depend on where your patients are and where your data is hosted. Your lawyer or compliance advisor can confirm details for your situation—the summary below is meant to orient clinicians, not replace legal advice.

United States

For HIPAA-covered psychology and psychiatry practices: PsycSuit supports the technical side; your practice stays responsible for policies, training, and patient rights.

Sign a Business Associate Agreement (BAA) with PsycSuit before storing real patient information in production
Each staff member has their own login with access limited to their role
Connections to PsycSuit are encrypted (TLS), the same standard used for secure banking websites
Optional two-step verification (authenticator app) for staff accounts

BAA overview →

Europe (UK & EEA)

Your clinic decides why and how patient data is used (privacy notices, consent, retention). PsycSuit stores and runs the software only on your instructions—we do not make those decisions for you.

A Data Processing Agreement (DPA) is signed when your practice is activated
You remain responsible for patient privacy notices, lawful basis for care, and responding to access or deletion requests
PsycSuit provides a list of trusted service providers (subprocessors) in your agreement
If patients are in the UK or EU, work with your advisor on cross-border data rules

DPA overview →

Asia-Pacific

Privacy rules differ by country. PsycSuit offers the same security foundation everywhere; your practice aligns with local law.

Australia: follow the Australian Privacy Principles (APPs) for how you collect and share information
Singapore and other PDPA countries: follow the Personal Data Protection Act (PDPA) for consent and breach reporting where it applies
Your data is stored in a secure database (PostgreSQL), with encrypted connections (TLS) and protected passwords (bcrypt)
Where data is stored and which vendors are used are spelled out in your service agreement
Professional licensing, consent forms, and local breach rules stay with your clinic

DPA overview →

Agreements with PsycSuit

Before you store real patient information in production, your practice signs the right agreement for your region. PsycSuit is not a government certifier—we provide tools; you maintain your compliance program.

United States: Business Associate Agreement (BAA) for HIPAA-covered information. United Kingdom & European Economic Area: Data Processing Agreement (DPA). Both are provided when your practice is activated.

Your clinic's data stays separate

Other practices on PsycSuit cannot see your patients, notes, or billing.

Each practice has its own secure space in the system.
The software blocks access across practices by design.
Staff sign in with a practice code so logins belong to your clinic only.

Who can see what

Access follows job role—the front desk does not open full therapy notes unless you allow it.

Administrators, clinicians, and reception staff each have different permissions.
Sensitive areas (e.g. psychotherapy note content) are restricted by role.
New practices are enrolled with two-step verification required for staff accounts. Administrators can adjust this under Settings → Practice.
Accounts lock after too many failed sign-in attempts.

Activity records

Important actions are logged so you can review who accessed or changed information.

A permanent-style log tracks sensitive access and changes (audit trail).
Staff and client portal sign-ins, forms, and messaging leave a record.
Old log entries can be removed on a schedule you configure.
If PsycSuit support signs in to help you (break-glass), it is time-limited, logged, and shown clearly on screen.

Passwords & encryption

Standard protections used by serious health software—described here for IT reviewers and curious clinicians.

TLS — all traffic between browsers and PsycSuit is encrypted in production (the padlock you see in your browser).
bcrypt — passwords are stored in a one-way scrambled form; we never store readable passwords.
Data is held in PostgreSQL on Microsoft Azure (region defined in your service agreement). Provider-managed encryption protects data at rest.

Session timeouts

How long users stay signed in and what ends a session early.

Staff sessions end after 15 minutes of inactivity or a 12-hour maximum, whichever comes first.
Only one active staff login per user — signing in elsewhere ends the previous session.
Client portal sessions expire after four hours.
Login endpoints are rate-limited to reduce brute-force attempts.

Hosting, backups & availability

Where your data lives and how it is protected against loss.

Application and PostgreSQL databases run on Microsoft Azure (region defined in your service agreement).
Traffic between browsers and PsycSuit uses TLS in production.
Database connections use encrypted transport; data at rest is protected by your cloud provider’s storage encryption (Azure PostgreSQL).
Each clinic’s data is scoped in application code; production deployments should also enable PostgreSQL row-level security (RLS) as a second layer.

Backups

Database backups are managed by the hosting provider (Azure PostgreSQL automated backup policies).
Restore procedures are tested as part of deployment operations — contact us for your deployment’s recovery objectives.
Your practice should export records you must retain before closing an account.

Log retention

How long activity records are kept in the system.

Staff and portal activity logs are retained for a configurable period (default: one year) and can be purged on schedule.
Immutable audit trail rows are append-only for accountability investigations.
Clinical records follow your clinic’s policies; soft-deleted chart items remain recoverable for a limited window before permanent removal.

Security incidents & breach notification

How to report a concern and what happens if PsycSuit discovers a breach.

PsycSuit will notify affected customers without unreasonable delay when we confirm a breach of unsecured PHI in systems we control, consistent with our Business Associate Agreement and applicable law.
Report suspected security issues to our security contact (see Contact below). Include your practice name and a description of what you observed.
Your clinic remains responsible for workforce training, device security, and notifying patients when your practice experiences a reportable breach.
Security reports: security@psycsuit.com

Client portal & video visits

For scheduled outpatient care—not for emergencies. Patients in crisis should call your clinic or local emergency services.

Clients can book and message through the portal; bot protection may be enabled on booking.
Video visits use private rooms with links that expire—usage is billed separately from your main plan.
Recording is off by default. PsycSuit does not turn on session recording for you. Optional session transcription (Wave 2+) requires client portal consent before any audio is transcribed during telehealth; raw audio is discarded after transcription.
Before going live with video, confirm where video data is hosted and that agreements cover telehealth.

Insurance billing & ERA

Built-in claim workflows for US and EU practices — not outsourced revenue-cycle management.

PsycSuit includes patient insurance policies, professional claims (837P where enabled), and electronic remittance (ERA) posting tools.
Clearinghouse connectivity (e.g. Stedi) is configured per deployment. Your practice enrolls with payers and remains responsible for claim accuracy, timely filing, and appeals.
PsycSuit does not guarantee payment, adjudication outcomes, or payer enrollment. We provide software — not a billing agency or credentialing service.
Insurance claim and ERA features are region-gated. Practices outside supported regions use cash/self-pay billing and superbills as appropriate.

ePrescribing (optional)

Medication workflows in the chart; live e-prescribing requires a separate certified partner.

PsycSuit tracks medications, allergies, and med-management notes in the patient chart. Electronic prescribing to pharmacies is optional and off until your practice enables it.
US practices typically connect through an e-prescribing partner (e.g. DoseSpot) with per-prescriber vendor fees billed separately from your PsycSuit seat fee.
Prescribers need valid credentials (NPI, state license, DEA where applicable) and must complete partner identity proofing for controlled substances (EPCS) where required.
Outside the US, PsycSuit may offer printable or exportable prescriptions; live pharmacy routing depends on local regulations and available partners.

Optional writing help (AI)

Only if your practice turns it on—never required for care.

Staff may use Microsoft Azure OpenAI to polish messages or similar tasks. Your practice opts in after the right agreements are in place. We log that a request happened, not the full text of your clinical notes.

Optional session transcription

Consent-gated audio help for Session Capture — not a hidden recorder.

Your practice and platform operator must both enable Azure AI Speech; clients grant consent in the portal before any session audio is transcribed.
Raw session audio is discarded after transcription by default — only the text your clinician reviews enters the chart workflow.
Clients can decline or revoke consent at any time; transcription stops immediately.
Transcripts are scratchpad material until your clinician converts and signs a structured note.
Optional assistive prosody cues (speech pace, pause spacing) are timing estimates only — never clinical facts — and require clinician attestation before entering the scratchpad.

Services we may use

Depending on how your practice is deployed, PsycSuit may rely on the providers below. Your service agreement lists the subprocessors that apply to you.

Subprocessors that may process clinic or client data depending on deployment configuration
Provider	Purpose	What they may handle
Microsoft Azure	Application hosting, PostgreSQL database, backups, and optional Azure OpenAI	All clinic and patient data stored in your deployed region Microsoft offers a BAA for covered services when configured for HIPAA workloads.
Brevo	Transactional email (activation, portal verification, notifications)	Email addresses, message content you send via the platform
LiveKit	Secure video visits between clinician and patient	Video session connection details; video/audio per your setup Your practice confirms agreements cover telehealth if required.
Microsoft Azure OpenAI	Optional help drafting or polishing text (when your practice enables it)	Text you submit for that task only—processed to return writing suggestions Opt-in only; requires BAA on file and practice administrator enablement.
Microsoft Azure AI Speech	Optional session audio transcription for Session Capture (when enabled)	Session audio sent for transcription; raw audio discarded by default after text is returned Requires client portal consent before use. Clinician reviews transcript before signing notes.
Cloudflare Turnstile	Bot protection on client portal booking (when configured)	Technical signals, IP (abuse prevention)
DoseSpot / DrFirst (eRx partner)	Optional US e-prescribing when platform and clinic enable eRx add-on	Prescriber credentials, patient demographics, allergies, medication orders (via partner UI) Enabled per clinic; requires prescriber identity proofing (EPCS) through the vendor.

Your practice's role

Software supports your program—it does not replace policies, training, or professional judgment.

Give each team member their own login—never share passwords.
Keep two-step verification required for clinicians and administrators in production.
Train staff on minimum necessary access and securing devices.
Export records you must keep before closing an account.

Contact

Security, privacy, or general inquiries:

← Plans & pricing · Trust center · BAA · DPA