Business Associate Agreement
A BAA is available on Professional and Enterprise plans before protected health information moves through the clinical workflow.
Security for therapy data
Emosapien Security: HIPAA-Compliant Therapy Documentation
Emosapien provides HIPAA compliant therapy software security for clinicians who process sensitive session data, draft notes, and client engagement records inside one therapy-specific workflow.
The product keeps the therapist in control: AI output stays reviewable, client content is not used to train public models, and security controls cover intake, sessions, documentation, and follow-up. For practices comparing HIPAA compliant therapy software security, plan-level BAA availability matters; the pricing page shows where BAA-ready plans start before PHI moves through the workflow.
Current trust posture
SOC 2 Type II
Audited infrastructure controls
ISO 27001
Certified security management
BAA availability
Professional and Enterprise
No model training
No public-model training on sessions
HIPAA compliance and BAAs
HIPAA compliance and Business Associate Agreements
HIPAA compliant therapy software security starts with a clear business-associate relationship. For covered-entity practices, Emosapien makes a BAA available on Professional and Enterprise plans and keeps clinical AI assistive rather than autonomous.
For the legal basis, review the HHS guidance on business associates. For note-specific boundaries, see our guide to HIPAA-compliant therapy notes.
Encryption in transit and at rest
Session data, progress notes, and client records are protected with encryption across transmission and storage.
Access controls and audit logging
The Safety and Compliance Agent layer supports consent management, role-aware access, and audit logging around sensitive actions.
No public-model training
Session content is not used to train public models. Clinicians review and sign every clinical note before it becomes part of the record.
Encryption and storage
Data encryption and storage
Session audio, transcripts, draft notes, and client engagement data need protection before, during, and after the appointment. Emosapien encrypts clinical data in transit and at rest, then keeps the signed record under clinician review.
Your clients' data: what we collect and why
Emosapien processes session and client-workflow data to provide the service: intake context, session capture, draft documentation, treatment-plan continuity, and between-session engagement. Your practice or organisation owns that data.
Session content is not used to train public models. For public-facing privacy terms, read the Emosapien privacy policy.
Controls and audits
Access controls and audit logs
HIPAA compliant therapy software security is operational. Consent management, role-aware access, and audit logging help practice owners understand who can reach sensitive records and when key actions happen.
Emosapien's Safety and Compliance Agent sits beside the clinical workflow so controls are visible near the work, not hidden in a separate checklist.
HIPAA Security Rule safeguards
Emosapien supports the administrative and technical safeguards therapy practices expect: encryption, access control, audit logging, and BAA availability.
SOC 2 Type II
Infrastructure controls are SOC 2 Type II audited, giving practice owners a third-party trust signal for operational controls.
ISO 27001
Information-security management is ISO 27001 certified, aligning security processes with an international standard.
Beam9 monitoring
Beam9 supports encryption, continuous monitoring, access controls, and immutable audit trails for the platform.
Certifications
Certifications and third-party audits
SOC 2 Type II
Audited controls
A third-party audit signal for the infrastructure and operational controls behind the platform.
ISO 27001
Certified security management
An information-security management standard for the processes that protect sensitive data.
Beam9
Monitoring and audit trails
Continuous monitoring, access controls, encryption support, and immutable audit trails around the platform.
Frequently asked
Security questions for therapy practices
Is this security page legal advice?
This page describes Emosapien safeguards and product controls. It is not legal advice. Each covered entity still needs to assess its own obligations, policies, and client-consent process.
Does Emosapien replace clinical judgement?
No. Emosapien drafts notes, summaries, and workflow prompts for therapist review. The licensed clinician decides what belongs in the clinical record.
Who owns client data?
Your practice or organisation owns its client data. Emosapien processes it to provide the service and does not use session content to train public models.
Report a security issue
Tell us if something looks wrong
If you believe you have found a vulnerability or a data-handling concern, contact the Emosapien team before sharing details publicly. We will triage credible reports and route them to the security owner.
New to the company and our clinical boundaries? Read about Emosapien before comparing product claims with your own practice policies.