PsychReport.ai
Toggle navigation menu

Enterprise-Grade Security & Compliance

Your patient data deserves the highest level of protection. We've built PsychReport.ai with security and compliance at its core, meeting the strictest healthcare industry standards.

HIPAA Compliance

Full HIPAA compliance with Business Associate Agreement (BAA) included for all healthcare providers.

  • Comprehensive HIPAA risk assessment
  • Administrative, physical, and technical safeguards
  • Regular compliance audits and monitoring
  • Staff training and documentation

End-to-End Encryption

All data is encrypted both in transit and at rest using industry-standard AES-256 encryption.

  • TLS 1.3 for data in transit
  • AES-256 encryption for data at rest
  • Encrypted database storage
  • Secure key management system

Audit Logs

Comprehensive audit trails track all user actions and system events for complete transparency.

  • User activity logging
  • Data access tracking
  • System event monitoring
  • Compliance reporting tools

Access Controls

Secure access controls ensure only authorized personnel can access sensitive information.

  • Multi-factor authentication (MFA)
  • Secure session management
  • User activity monitoring
  • Access timeout controls

User Management

Secure user management features designed for individual practitioners (team features coming soon).

  • Individual user accounts
  • Secure authentication
  • Assessment history tracking
  • Data ownership controls

Data Backup & Recovery

Automated backups and disaster recovery ensure your data is always protected and available.

  • Automated daily backups
  • Fully redundant backups
  • Point-in-time recovery
  • Disaster recovery testing

Certifications & Compliance

SOC 2 Type II

Our hosting partners maintain SOC 2 Type II certification for security controls

HIPAA Compliant

Full compliance with Health Insurance Portability and Accountability Act requirements

Google Cloud Security

Built on Google Cloud Platform with enterprise-grade security infrastructure

ISO 27001

Our hosting partners maintain ISO 27001 certification for information security

Our Privacy Commitment

We never sell, share, or monetize your patient data. Your information is used solely to provide our services and remains under your complete control at all times.

Security Questions

Your data protection concerns answered

FERPA Compliance for School Districts

For school districts, student data privacy isn't just a rule — it's a fundamental trust. PsychReport.ai was built with a privacy-first design, ensuring full compliance with FERPA from the ground up.

We Act as Your "School Official"

FERPA's School Official exception allows us to handle student data on your behalf. We are contractually bound to:

  • Perform only the institutional service we were hired for
  • Operate under the direct control of your school for all data
  • Use data only for the specific purpose agreed upon
  • Never re-disclose or use data for any other purpose

Our Data Commitments

  • No Secondary Use

    Student data is never used for AI model training, marketing, or any purpose beyond generating your reports.

  • Parent Rights Supported

    Your staff retains full access to download and amend student records at any time to fulfill FERPA parental access requests.

  • Secure Data Destruction

    All student data is permanently deleted from live systems 30 days after contract end and purged from backups on a fixed schedule.

School pricing available: PsychReport.ai serves both private practice and school settings. Contact us for school and district pricing.

Privacy Compliance for Canadian Practitioners

Canadian psychologists are the custodians of their clients' information under PIPEDA and provincial health-privacy law. PsychReport.ai is built to support those obligations while keeping your clinical judgment where it belongs — with you.

You Stay the Custodian. We're Your Service Provider.

  • Under PIPEDA and provincial health-privacy law (including Ontario's PHIPA, Alberta's HIA, and British Columbia's PIPA), you remain the custodian of your clients' information.
  • We act only as your service provider and information manager, processing data on your instructions to generate your reports.
  • We sign a Canadian Data Processing Agreement during onboarding — the same way US practices sign a BAA.
  • We support your obligations to respond to client access and correction requests and to handle breach notification.

Our Data Commitments

  • Transparent Cross-Border Processing

    Your data is stored and processed in the United States on Google Cloud. We tell you plainly, so you can inform your clients and obtain the consent your obligations require.

  • A Signed Canadian Agreement

    Every Canadian practice signs a Canadian Data Processing and Service Provider Agreement that sets out our role under PIPEDA and provincial health-privacy law, our security commitments, and how we support you.

  • De-identified Before AI

    Client information is de-identified before any AI processing, and our agreements with AI providers prohibit using it to train their models.

Read our Canadian Privacy Supplement and Canadian Terms Supplement for the full detail.

Questions About Security or Compliance?

Our team is available to answer any questions about HIPAA, FERPA, BAA documentation, or any other compliance and security concerns.