Security & Privacy

Therapist OS is built to minimize client-identifying information. We never store your clients' full names. The system automatically converts names to initials (e.g., "John Doe" becomes "J.D.") before saving. Session logs contain only: date, duration, session type, and your client's alias — the minimum needed for BBS compliance.

• All database data is encrypted at rest using AES-256.
• Import staging data (uploaded CSV rows awaiting your confirmation) is encrypted with AES-256-GCM at the application layer — separate from disk encryption — and automatically deleted after 15 minutes or when you confirm the import.
• Import CSV files are never written to disk — they are processed entirely in memory and discarded.

• All connections use TLS 1.3 (the strongest standard). Older TLS versions are rejected.
• HTTP requests are automatically redirected to HTTPS.
• HSTS (HTTP Strict Transport Security) is enabled — your browser is instructed to always use HTTPS, even if you accidentally type http://.
• The database connection requires SSL.

• You can only see your own sessions, supervision records, and weekly logs. No other user can access your data.
• Supervisors see only aggregate compliance summaries for their linked associates — never raw session records or client aliases.
• Supervisor e-signatures use single-use magic links — each link works only once for the specific log it was issued for.
• Supervisor signatures are protected by a PIN second factor set by the supervisor, separate from the magic link.

Every significant action in the system is recorded in a tamper-proof audit log:

• Session creates, edits, and deletes
• Weekly log status changes
• Magic link issuance and use
• Supervisor signatures — including IP address, timestamp, and a cryptographic hash of the log content at signing time
• CSV imports (started and completed)

The audit log is append-only — no record can be modified or deleted once written. This protects you in a BBS audit.

• Passwordless login via magic links — no passwords to steal.
• Session tokens expire and require re-authentication.
• Tokens are bound to your device — a token from one browser cannot be used in another.

We only use vendors who have signed HIPAA Business Associate Agreements with us:

• Database hosting (Render.com) — HIPAA-capable infrastructure; BAA in place.
• Email delivery (Resend) — Magic links only; no PHI in email content.

• We never store your clients' full names.
• We never sell or share your data with third parties for marketing.
• We never use your session data to train AI models.
• We never put PHI in email content or SMS messages — only secure in-app links.
• We never store uploaded CSV files after processing.

If you discover a security vulnerability or have questions about our privacy practices, contact us at security@therapistos.com. We respond to all security reports within 24 hours.