Security & Trust

Security isn't a feature. It's the foundation.

TherapyTracked is a HIPAA Business Associate, and it was designed and built by an information-security architect — the exact discipline the HIPAA Security Rule is made of. The safeguards aren't bolted on; they're the starting point.

We sign a Business Associate Agreement before you store a single record.
At a glance

Where we stand.

HIPAA posture

Business Associate. A BAA is signed with every practice before any PHI is loaded.

Hosting

Amazon Web Services, United States — HIPAA-eligible services under a signed AWS BAA.

Encryption

TLS + HSTS in transit; AWS KMS-managed encryption at rest for the database, documents, and secrets.

Tenant isolation

Role-based access plus database-enforced row-level security between every practice.

Authentication

MFA required for every staff account — authenticator app or passkey — before any PHI.

Audit trail

Append-only log of PHI access, changes, logins, and authentication events.

Technical safeguards

Four controls we won't compromise on.

  • Encrypted in transit and at rest. Your data is protected while it travels and while it is stored, on HIPAA-eligible cloud infrastructure.
  • Multi-factor sign-in for everyone. Every login needs a second step — a passkey or authenticator app. No exceptions, no opt-out.
  • Your data stays yours alone. Each practice's records are walled off from every other practice's — enforced deep in the database, not just the app.
  • A tamper-evident trail. Every time protected data is opened, it is recorded to a log the application cannot edit or erase.
Compliance program

A written program, not a checkbox.

As a Business Associate we maintain administrative, physical, and technical safeguards aligned to the HIPAA Security Rule, documented in writing.

Security Risk Assessment

A NIST 800-30 / HHS-SRA-style risk analysis with a tracked risk register and remediation plan.

Incident response & breach notification

Detection, triage, containment, and a Business-Associate breach-notification procedure to the covered entity.

Designated Security Official

Accountability for the program is fixed in a single named role, in writing.

Subprocessor register

A written inventory of every third party that may handle PHI — each under a BAA or a documented no-PHI determination.

Subprocessors

Who else touches the data.

Any subprocessor that can handle PHI does so only under a signed BAA, and we notify practices before adding one. The list is public and versioned.

View subprocessors

On request

What we'll send your compliance team.

  • Our Business Associate Agreement, before any PHI is loaded
  • This security overview and the subprocessor list
  • A live walkthrough of our safeguards and compliance program

Security questions or disclosures: security@therapytracked.com

Reviewing us? Let's talk.

We'll walk your compliance team through every safeguard and share our full security documentation. It starts with a signed BAA.