Security

All data is encrypted in transit using HTTPS/TLS and encrypted at rest using managed encryption keys. Sensitive content is never transmitted over unencrypted connections.

Access follows the principle of least privilege. Our role-based access control system distinguishes between clients, therapists, and administrators, and every API request is authorized before any data is returned. In keeping with HIPAA’s minimum-necessary standard, administrators can manage accounts without access to conversation content.

Sign-in is handled through established identity providers (Google and Microsoft Entra ID). We do not store passwords. Sessions are tracked in our database to provide a complete, auditable record of access.

The platform runs on enterprise cloud infrastructure. Internal services — including the database and AI components — communicate over private network endpoints rather than the public internet, and service-to-service authentication uses managed identities instead of shared secrets.

Our AI processing is configured with data logging disabled and runs within our private environment. Conversation content is not retained by the model provider or used to train third-party models.

We maintain audit trails of access and key events, and we monitor the platform for availability and anomalous behavior so issues can be identified and addressed quickly.

We welcome reports from security researchers. If you believe you have found a vulnerability, please report it to us privately through our contact page and allow us a reasonable opportunity to investigate and remediate before any public disclosure. Please do not access or modify data that is not yours.