Skip to content
TherapyTracked
  • Features
  • Pricing
  • Security
  • About
Log in Request access
← Security & Trust
Legal & trust

Security Overview

Last updated 2026-07-01

TherapyTracked, LLC (Oklahoma) is a HIPAA Business Associate: your practice is the covered entity, and we store and process your patients' protected health information (PHI) on your behalf under a signed Business Associate Agreement (BAA). Security is designed in, not bolted on. This overview states our posture honestly — including what is on our roadmap and not yet done.

Provided to prospective practices during evaluation, for a compliance officer's diligence. The underlying compliance program is founder-authored and pending independent vCISO / HIPAA-assessor validation. We are glad to walk through any item in detail — security@therapytracked.com.

At a glance

AreaWhere we stand
HIPAA postureBusiness Associate; a BAA is signed with every practice before any PHI is loaded.
HostingAmazon Web Services, United States — HIPAA-eligible services under a signed AWS BAA.
AuthenticationMFA required for every staff account (authenticator app or passkey) before any PHI.
Tenant isolationPer-practice, role-based access plus database-enforced row-level security.
EncryptionTLS + HSTS in transit; AWS KMS-managed encryption at rest (database, documents, secrets).
AuditAppend-only audit trail of PHI access, changes, logins, and authentication events.
Compliance programDocumented risk analysis, incident-response & breach-notification plan, designated Security Official, subprocessor register.
Independent attestationNot yet — SOC 2 and a tenant-isolation penetration test are on the roadmap. We do not claim "certified."

Safeguards

Authentication & access

Multi-factor authentication (authenticator apps or passkeys) is required for every staff account before any PHI can be reached. Repeated failed logins are locked out, sessions time out on inactivity and at browser close, and passwords must meet a strong length policy. Optional SSO (SAML / OIDC) is available for practice staff; administrative accounts use local credentials plus MFA and cannot use SSO.

Per-practice isolation

Every record is scoped to the practice that owns it, and role-based access controls limit what each team member can see and do. Isolation is enforced at the application layer and backed by database-enforced row-level security — a defense-in-depth backstop so a single application-layer mistake cannot cross practice boundaries. Row-level security is implemented and validated in our pre-production environment; an independent tenant-isolation penetration test is planned (see the roadmap below).

Encryption

All traffic is encrypted in transit with TLS (HSTS enforced). Data at rest — the database, uploaded documents, and application secrets — is encrypted with AWS KMS customer-managed keys with rotation. Uploaded documents are held in private, encrypted object storage, served only through authenticated, audited downloads (never a public URL) and never under a filename that contains patient information.

Audit logging

Access to PHI — reads, changes, logins, and authentication events — is recorded to an append-only audit trail that cannot be altered or deleted through the application, supporting HIPAA's information-system-activity-review requirement.

Secure infrastructure

TherapyTracked runs on AWS in the United States, using only HIPAA-eligible services under a signed AWS BAA. The application runs in a private network; the database is not publicly reachable; credentials are held in a managed secrets vault (never in code or configuration); and a strict Content Security Policy hardens the app against cross-site scripting.

Privacy by default

Test and demonstration environments contain only synthetic data — never real PHI. Error monitoring, where used, is configured to scrub patient information before it leaves the application. We do not use your patients' data to train models.

Compliance program

As a Business Associate we maintain administrative, physical, and technical safeguards aligned to the HIPAA Security Rule, documented in a written program:

  • Security Risk Assessment — a NIST 800-30 / HHS-SRA-style risk analysis with a tracked risk register and remediation plan (§ 164.308(a)(1)).
  • Incident Response & Breach Notification plan — detection, triage, containment, and a Business-Associate breach-notification procedure to the covered entity per § 164.410.
  • Designated Security Official — accountability for the program is fixed in a single named role in writing (§ 164.308(a)(2)).
  • Subprocessor register — a written inventory of every third party that may handle PHI, each under a BAA or a documented no-PHI determination, with a change-notification commitment (§ 164.308(b)).

The program is founder-authored and being validated by an independent vCISO / HIPAA assessor.

Subprocessors

Any subprocessor that can handle PHI does so only under a signed BAA (or a documented no-PHI determination), and we notify practices before adding a PHI subprocessor. See the full, versioned list on our Subprocessors page.

Where we stand — honestly

TherapyTracked is an early-stage company, and we would rather be candid than overstate:

  • Independent attestation is not yet in hand. We are pursuing a SOC 2 Type II examination and a tenant-isolation penetration test, and will say "certified" only once we are — not before.
  • We are pre-launch; early customers are design partners. Our production environment is being stood up, and a practice onboarding now works closely with us.
  • A few program items are in progress, and we will share status on request — completing independent validation of the risk assessment, a tested backup-restore drill, production email deliverability, and naming a backup Security Official for continuity.

We believe this candor is itself a security signal. We are happy to review the full risk register and roadmap with your team.

What we provide on request

  • Our Business Associate Agreement (BAA) for your review and signature before any PHI is loaded.
  • This security overview and our subprocessor list.
  • A walkthrough of our safeguards and current roadmap with your compliance team.

Security questions or disclosures: security@therapytracked.com.


Not legal advice. This overview describes our current posture and good-faith roadmap; it is not a warranty or a regulatory representation, and the executed BAA governs the parties' obligations.

TherapyTracked

TherapyTracked, LLC. HIPAA-compliant compliance tracking for therapy practices — behavioral, physical, occupational, and speech. This site never stores patient data.

Product

  • Features
  • Pricing
  • Security & Trust
  • Request access

Company

  • About
  • Contact
  • Log in

Legal & trust

  • Security Overview
  • Subprocessors
  • Privacy Policy
  • Terms of Service
© 2026 TherapyTracked, LLC. All rights reserved.