Security & privacy
Built like client trust depends on it
Because it does. Here is exactly how PsychApp protects personal health information — where it lives, how it is encrypted, who can see it, and the privacy program behind it.
Data at rest: Montréal, Canada
Every client record — charts, notes, assessments, forms, messages, files, invoices — lives in a Canadian data centre (AWS ca-central-1, Montréal).
Compute: Montréal, Canada
The application servers that process your requests also run in Montréal, in the same region as the database. Client data in the request path does not cross the border.
Certified infrastructure
PsychApp runs on infrastructure providers that hold independent certifications — SOC 2 Type II for our hosting and database providers and PCI-DSS Level 1 for payments.
Built for PHIPA and PIPEDA
PsychApp is designed for Ontario’s Personal Health Information Protection Act (PHIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Under PHIPA, your practice is the health information custodian and PsychApp acts as your electronic service provider: client records are handled only on your instructions, protected by the safeguards on this page, and stored in Canada.
PsychApp’s designated Privacy Officer is Hossain Jafary, accountable for the privacy program: the privacy impact assessment, the breach response plan, the subprocessor register, and this policy surface. Reach the Privacy Officer any time at privacy@psychapp.ca.
The full detail of what we collect and why lives in the Privacy Policy.
Technical safeguards
Encryption in transit
All traffic is encrypted with TLS, with HSTS enforced so browsers never fall back to an unencrypted connection.
Encryption at rest
The database and file storage are encrypted at rest with AES-256. Connected-calendar credentials get a second, application-layer AES-256-GCM encryption on top.
Two-factor authentication
Clinicians can enrol authenticator-app (TOTP) two-factor authentication, enforced at every sign-in once enabled.
Automatic sign-out
Idle sessions sign out automatically after 30 minutes, on the clinician dashboard and the client portal alike.
Private by design
Row-level security in the database isolates every clinician's caseload. In group practices, one clinician's clinical records are never visible to another unless supervision access is explicitly granted.
Append-only audit log
Sign-ins, record changes, file activity, exports, and deletions are written to an audit log that cannot be edited or erased — and you can review it in Settings.
Tokenized client links
Forms, assessments, booking, and video sessions use long, unguessable links, so clients can participate securely without being forced to create an account. Public endpoints are rate-limited.
Telehealth privacy
Video sessions are encrypted device-to-device (DTLS-SRTP) with no media server in the middle — session audio and video never touch our infrastructure. Recording and transcription only happen with explicit client consent.
Payments by Stripe
Card details are entered on Stripe's PCI-DSS Level 1 certified pages and never touch PsychApp's servers.
Records your college would recognize
Signed notes lock permanently
A signed clinical note can never be silently edited. Corrections happen through dated, attributed addenda — the record colleges expect.
Archive, not delete
Day-to-day workflows archive clients so the full chart stays retrievable across college retention periods. Hard deletion exists only as a deliberate, audit-logged custodian decision.
Right of access, built in
Export a client's complete structured record in one click — supporting access and correction requests under PHIPA.
Straight answers
Is PsychApp PHIPA or PIPEDA certified?+
No such certification exists — no vendor can truthfully sell you one. PHIPA and PIPEDA compliance is an ongoing program, not a badge. PsychApp operates that program: the safeguards on this page, a privacy impact assessment, a breach response plan, a subprocessor register, and a named Privacy Officer accountable for all of it.
Who is the health information custodian?+
You are. Under PHIPA, the clinician (or practice) is the health information custodian for client records. PsychApp acts as your electronic service provider, handling records only on your instructions — and the platform is built so you can meet your custodian duties: consent capture, access and correction support, retention-friendly archiving, and audit trails.
What happens if there is ever a breach?+
PsychApp maintains a written breach response plan: contain, assess, notify affected custodians without unreasonable delay so they can meet their own notification duties, and remediate. Suspected issues can be reported any time to privacy@psychapp.ca.
Found a vulnerability or have a security question? Email privacy@psychapp.ca and it goes straight to the Privacy Officer.
Ready to try PsychApp?
14-day free trial. No credit card required. Set up in an afternoon.
Start your free trial