Security & Compliance

Protecting your practice and client data

We prioritize security to protect your practice and clients, ensuring we align with HIPAA regulations, PHI protection, and data privacy.

Empowering therapists to succeed

$1.3B
therapist income processed
$659M
insurance payments processed
14M
minutes of therapy

Committed to maintaining excellence in cybersecurity

We proudly maintain a comprehensive set of compliance certifications and attestations to validate our commitment to data protection.

Elevated PHI protection

Our system follows strict HIPAA and HITECH standards for encrypted PHI transmission and storage of PHI.

Third party vetting

All third party vendors that store, process, access, or manage PHI are required to enter into a HIPAA Business Associate Agreement.

Encrypted data exchange

Encrypted record sharing, messaging, and reminders ensure safe communication between your practice and your clients.

North American data storage

All data that is shared with TherapyAppointment is stored and processed in North America, including third party processors.

Real-time backup

Your data is backed up nightly in multiple locations aligned with HIPAA disaster recovery mandates.

24/7 data monitoring

We use a complex system of monitoring, including regular integrity testing, to keep your data safe 24/7.

Vetted business partners

We fully vet our partners to ensure they meet compliance requirements and are committed to the same level of protection that we provide.

Validated encryption solutions

We leverage industry validated encryption solutions to protect all data transmitted or stored by our system.

Limited risk of downtime

Our servers and networks leverage redundant designs to maximize availability and limit the risk of application downtime.

Account privacy protection

We offer two-factor authentication and require 12-character or stronger passwords.

Employee access settings

Job-based roles and permissions let you configure and enforce security and compliance settings for your staff.

Free data storage

Free unlimited data storage allows you to safely store digital records for the legally required amount of time.

Comprehensive audit trails

Our software includes self-service audit trails so you can quickly detect unauthorized access or misuse of records.

Frequently Asked Questions

How is my data encrypted?

TherapyAppointment leverages industry validated encryption solutions to protect all data transmitted or stored by the system. Where possible, we leverage native AWS encryption, which is built upon strong foundations and has been vetted time and again by industry experts. To ensure security and enforcement of our policies, we retain control over keys that are used by AWS for encryption. 

All customer content is covered by at least one layer of 256-bit AES encryption. For some particularly sensitive types of data, secondary encryption occurs within the application before data is stored in our database.

TherapyAppointment enforces encryption of network connections between the user and AWS as well as connections between the different components of the system. The primary encryption protocol for network traffic is TLSv1.2 though we also rely on SSH and other industry standard protocols for administrative purposes. In all cases, we harden the encryption configuration against known weaknesses and vulnerabilities.

How do I enforce security and compliance for my staff?

Practice owners have the ability and responsibility to configure and enforce security and compliance settings for their staff, including:

  • Automatically sign users out after a period of inactivity (up to one hour)
  • Require two-factor authentication
  • Disable accounts automatically after 90 days of inactivity
How often does TherapyAppointment back up and protect my practice data?

TherapyAppointment backs up customer content and other critical data every night to Amazon-managed storage in the same region. Backups are retained for at least 35 days, and for most types of information, our team can perform a point-in-time restore from any moment within the past month.

TherapyAppointment also keeps a secondary copy of customer data in a geographically separate location. This copy is updated in real time to support recovery in the event of a major system failure or natural disaster.

Is there risk of application downtime?

Servers and networks leverage redundant designs to maximize availability. All servers and networks are distributed across at least two AWS availability zones to limit the risk of application downtime. File and database content for our systems is replicated automatically by AWS across three availability zones.

Where is my TherapyAppointment data stored and processed?

Data shared with TherapyAppointment is stored and processed in North America. TherapyAppointment uses U.S.-based data centers within the Amazon Web Services (AWS) cloud. Core staff are located in the U.S. and Canada, and third-party data processors that integrate with the TherapyAppointment portal are also based in the U.S. or Canada.

How does TherapyAppointment protect client data with third-party vendors?

TherapyAppointment’s privacy and security standards also apply to the third-party vendors we work with. We review third-party software and computing vendors to make sure they meet compliance requirements and can help protect customer data.

Any third-party vendor that stores, processes, accesses, or manages PHI on TherapyAppointment’s behalf must sign a HIPAA Business Associate Agreement. This helps extend the same privacy and security expectations used in TherapyAppointment to the vendors that support the platform.

Is my data at risk of getting lost?

Your data is backed up in multiple locations in compliance with HIPAA disaster recovery mandates. Our system also includes comprehensive audit trails so you can quickly detect unauthorized access or misuse of records, 24/7 monitoring, and regular integrity testing, to ensure your practice data is secure.

Do you use AI?

We have no plans to use your clients’ data for AI training.

Report a security concern

Contact our team to share any security or privacy concern.