PsyFi
PsyFi Technologies

Trust center

Security & HIPAA at PsyFi

PsyFi is built for protected health information by default: HIPAA-aligned, BAA available on every paid plan, PHI de-identified before any AI processing, encrypted everywhere, US-only data residency — and your data is never used to train AI models.

At a glance

HIPAA-aligned, BAA available

Engineered to HIPAA Security & Privacy Rule standards, with a signed Business Associate Agreement for every paid customer.

PHI de-identification

Identifiers are stripped before anything reaches an AI model — and never logged in plain text.

Never training data

Your sessions, notes, and chats are never used to train AI models — ours or anyone else's.

AES-256 at rest

All stored audio, transcripts, notes, and chat content encrypted at rest.

TLS 1.2+ in transit

Modern TLS on every connection, with HSTS enforced at the edge.

US data residency

Data is stored and processed in AWS US regions only.

Our HIPAA posture

HIPAA does not certify software vendors — there is no government-issued HIPAA certification. When we say PsyFi is HIPAA-aligned, BAA available, we mean the products are built and operated to meet the requirements HIPAA places on a business associate: the administrative, physical, and technical safeguards of the Security Rule, the Privacy Rule limits on use and disclosure, and the Breach Notification Rule — made enforceable to you through a signed Business Associate Agreement.

HIPAA also places obligations on you as a covered entity that no vendor can perform on your behalf — obtaining client consent to record, workforce supervision, and safeguards on your own devices and accounts. PsyFi is designed to support them: recording is always under your control, drafts are yours to review before anything enters a chart, and your EHR remains the chart of record.

A BAA on every paid tier

A signed BAA is included with every paid PsyFi plan — not an enterprise upsell. It covers all PsyFi products under one parent company (PsyFi Technologies, Inc.), tracks the structure required by 45 CFR § 164.504(e), and is free to execute.

Permitted uses — PHI is used only to provide the service. We do not sell it, market with it, or train models on it.
Subcontractor flow-down — every sub-processor that may touch PHI is bound by a BAA with us on terms at least as protective.
Breach notification — written notice without unreasonable delay, with the detail you need to meet your own obligations.
Termination — on termination we return or destroy PHI to the extent feasible, and the protections survive for anything we cannot.

To request a BAA, email hello@psyfitechnologies.com with your practice's legal name, state, and authorized signer. We send our standard BAA via electronic signature; redlines and practice-specific addenda are welcome.

PHI de-identification before AI

We use the eighteen HIPAA Safe Harbor identifier categories as our working definition of PHI — names, dates, contact details, medical record numbers, and the rest. Before a transcript or chat message reaches the language model that drafts your note, identifiers in those categories are replaced with structural tokens (for example, [CLIENT_NAME]), so the model produces a clinically coherent draft without ever seeing identifying details.

  • De-identification happens before any AI model call — not after.
  • Application logs are scrubbed of PHI; we treat any PHI reaching a log file as a security incident and remediate.
  • Transcripts and drafted notes are not linked to a patient identifier in our system — reconnecting a draft to a patient happens inside your EHR.

How session audio is handled

Audio is captured in the browser extension or the iOS app, tied to your account only, and sent over TLS 1.2+ to our backend in AWS US regions. Transcription runs on our own self-hosted infrastructure — no third-party transcription service ever sees your audio. Raw session audio is encrypted at rest from the moment it is written, and recordings remain under your account's control.

  • Self-hosted transcription and speaker diarization — no third-party audio APIs.
  • Audio encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Recording starts and stops only when you say so, and sessions should only be recorded with informed client consent.

Encryption in transit and at rest

Everything is encrypted in transit with TLS 1.2 or higher and at rest with AES-256. For the most sensitive content we encrypt at two layers, so compromise of either layer alone does not expose plaintext:

Application layer

Session transcripts and drafted notes are encrypted with an application-managed key before they are written to the database. If the key is missing or invalid, the application fails closed rather than serving traffic.

Infrastructure layer

Databases, object storage, backups, and snapshots are encrypted with AES-256 using managed keys in AWS KMS. Keys are scoped per environment, rotated on a schedule, and never logged.

Never training data

Your sessions, transcripts, notes, chats, and uploads are never used to train AI models — not by us, and not by any model provider we use. This commitment is written into our BAA, not just this page.

US data residency & infrastructure

PsyFi runs on Amazon Web Services in US regions. All primary storage — databases, object storage, queues, caches, and backups — lives in AWS US regions only. We do not replicate to non-US regions, and we do not use commercial CDN edge caches for any PHI-bearing endpoint.

  • Production runs in a private VPC; public surface area is limited to the TLS-terminating load balancer.
  • Production access is least-privilege and audited; workforce access requires SSO with multi-factor authentication.
  • Account-level actions — sign-in, recording, note generation, exports — emit structured audit events with PHI excluded by schema.
  • Databases are point-in-time recoverable, with restores tested periodically.

On the roadmap

A SOC 2 Type II audit is planned. If your procurement review needs a current attestation of operating state, a sub-processor list, or security-questionnaire responses, ask through hello@psyfitechnologies.com and we will share the version we maintain for that purpose.

Reporting a security concern

If you believe you have found a security vulnerability, email hello@psyfitechnologies.com. We will not pursue researchers who report in good faith, we acknowledge reports within two business days, and we keep you informed of the fix. Please don't access other clinicians' or clients' data, and give us the chance to ship a fix before public disclosure.

This page describes our controls and does not constitute legal advice. Your obligations under HIPAA depend on your circumstances; consult your own counsel.