Psyche Assess
Sign inGet started
Privacy by design

Security & compliance

Mental health data is the most sensitive personal data there is. We treat it that way from the architecture up — not as a checklist applied at the end.

HIPAA

BAAs on file with all subprocessors. Customer-facing BAA offered to all US clinics. Encryption, access control, audit log, minimum-necessary access.

GDPR / UK-GDPR

Article 28 DPA. EU data stays in EU regions. DPIA published for AI processing. Right to access, rectify, erase, and port — automated, not email-driven.

Australian APP

APP 1–13 compliant. Notifiable Data Breaches scheme. AHPRA / PsyBA practice standards surfaced in intake-consent flows.

Technical controls

Encryption in transit

TLS 1.3 only on public endpoints; HSTS preload.

Encryption at rest

AES-256 with per-tenant KMS data-encryption keys.

Application-layer encryption

Free-text clinical fields and transcripts encrypted with per-tenant keys — cloud admin alone cannot read them.

Row-level security

Postgres RLS enforces tenant isolation in every query.

Audit log

Append-only, partitioned monthly, retained 7 years immutable.

Step-up auth

MFA required; sensitive operations re-prompt.

Bug bounty

Private program with disclosure SLAs.

Annual penetration test

Third-party engagement with remediation tracked.

Data residency

You pick your region at signup. Data for your practice physically stays there. Cross-region transfers for PHI are never used.

EU

Primary: eu-west-1

DR: Frankfurt fallback

US

Primary: us-east-1

DR: us-west-2 DR

Australia

Primary: ap-southeast-2

DR: ap-southeast-4 DR

Certifications & attestations

Where each programme stands today. We publish status honestly so procurement teams know what's on file and what's still to come.

HIPAA
Live

Annual risk assessment on file, signed BAAs with every subprocessor, customer-facing BAA on request for US practices.

DPIA — AI processing
Live

Published Data Protection Impact Assessment covering PsycheNote AI — lawful basis, retention, and opt-out.

SOC 2 Type I
Audit in progress

Auditor engaged; control evidence collection underway, with a target report by Q4 2026.

SOC 2 Type II
Year 2

Starts immediately after Type I — continuous evidence collection via our control-monitoring stack.

ISO 27001
Year 2

Planned in parallel with SOC 2 Type II to support EU and APAC enterprise procurement.

NHS DTAC
On NHS entry

Pursued when we onboard our first NHS trust. Aligned with existing GDPR and DPIA controls.

Cyber Essentials Plus
Planned

Roadmapped for UK enterprise readiness — most controls already overlap our security baseline.

Need our security pack for procurement?

SIG Lite, CAIQ, pen-test summary, subprocessor list, and BAA / DPA templates available on signed NDA — usually within 48 hours.

Request pack

Questions about our security posture? Email security@psycheassess.com.