Clinical-grade Security for AI-powered Therapy

Start for freePricing

Emosapien is built for mental-health professionals who work with highly sensitive client data. Every session, note and check-in is protected with privacy-first design, end-to-end encryption and continuous monitoring powered by Beam9.

Secured by Beam9

AES-256 Encryption

Least-privilege access controls

Access Control

Data Sovereignty

Our security principles

Therapy runs on trust, privacy and psychological safety

Emosapien treats all client-identifying information as highly sensitive clinical data, not just “app content”.

Client confidentiality first

we handle client data as PHI or its equivalent under local laws.

Minimal data, maximum value

we only collect what we need to deliver the service.

No selling or brokering of data 

we never sell, rent or trade session or client data.

Security and usability together

AI tools are only useful if they are safe for you and your clients.

Secure by Design

Designed for regulated healthcare environment

Emosapien is HIPAA, ISO 27001 and GDPR certified, and is designed for regulated healthcare environments. We support clinicians working under:

  • HIPAA / HITECH (US) — safeguards for confidentiality, integrity and availability of PHI.
  • GDPR and UK GDPR / DPA — lawful basis, data minimisation, purpose limitation and data-subject rights.
  • Australian Privacy Principles (APPs) — alignment with consent, collection, use and disclosure requirements.

Make sure therapists are in control

Emosapien is an AI-assisted decision-support tool, not a replacement for the therapist. Our AI safety approach is designed to keep you firmly in control.

  • Prompt-injection and jailbreak protection to block unsafe inputs and attempts to override safety policies.
  • Content and safety filters aligned with clinical and ethical boundaries.
  • Context limits and redaction so only the minimum necessary data is passed into models.
  • Clinician-in-the-loop — AI outputs are always drafts that you can review, edit or discard.

Data Ownership & Responsible AI Training

Your organization always owns your client data and Emosapien simply processes it on your behalf. We don’t use your session content, notes or recordings to train any global AI models

  • You own your client data. Your organization is the data controller; Emosapien acts as a processor / service provider.
  • No training on customer data by default. We do not use your client session content, notes or recordings to train any global foundation model.
  • If tenant-specific fine-tuning features are offered in future, they will be optional, off by default, and protected with strict safeguards.

Independent Certifications

SOC 2 Type II

Independent auditors have verified our security, availability, and confidentiality controls. Contact us anytime to request the complete SOC 2 report.

Request SOC2 Report

ISO/IEC 27001:2022

Our information-security management system meets the latest ISO 27001 standard. Reach out now for the certificate and Statement of Applicability.

Request ISO 27001 Certificate

HIPAA / HITECH

End-to-end encryption, strict access controls, and signed BAAs keep PHI fully protected. Request our HIPAA/HITECH compliance packet whenever needed.

Request HIPAA Report

GDPR & CCPA

Privacy-by-design, data-subject rights workflows, and regional processing keep us GDPR and CCPA ready. Ask for our detailed compliance summary today.

Request Compliance Summary

Privacy and Compliance

Data Residency

Choose US‑East, EU‑West, or Sydney. No cross‑region replication unless you enable resilience.

Data Subject Rights

Built‑in workflows for access, erasure, and rectification with API integration.

Retention & Deletion

Configurable retention down to 0 days; cryptographic shredding at expiry.

Legal Frameworks

Standard Contractual Clauses (EU), DPAs, and BAAs ready for signature.

Approved Sub‑Processors

Service
Purpose
Location

AWS

Primary infrastructure

USA, EU, AUS

Azure

Secondary infrastructure

USA, EU, AUS

Cloudflare

WAF and CDN

Global

SendGrid

Email notifications

USA

Sentry

Error monitoring

USA

We provide 30‑day advance notice before adding any new sub‑processor.

Get in Touch

Found a vulnerability or have a question? Email security@emosapien.com. We acknowledge reports within 24 hours and coordinate fixes under responsible disclosure.

Frequently Asked Questions

Quick answers to the most common security, privacy, and compliance questions about Emosapien

Yes. Emosapien is independently certified against HIPAA requirements, ISO 27001 for information security, and GDPR. That means our controls, processes, and documentation are regularly reviewed against recognized global standards.

No. We do not use your client session content, notes, or recordings to train any global foundation model by default. If we ever offer tenant-specific fine-tuning, it will be optional, off by default, and protected with strict safeguards.

You do. Your organization remains the data controller and fully owns your client data. Emosapien acts as a processor or service provider, using your data only to deliver and support the service you’ve signed up for.

We aim to keep data within regions that align with your regulatory obligations, such as Australia, the EU, or the US. If you have specific data residency requirements, you can contact us and we’ll confirm the current options for your organization. You can find more about Emosapien privacy policy here.

Our default retention is designed to support clinical documentation and legal requirements without storing data longer than necessary. You can request deletion of specific clients, sessions, or your entire account, subject to legal and contractual retention rules. Deleted data is removed from active systems and then from backups after the retention window.

Access is strictly limited on a need-to-know basis and governed by least-privilege controls. Only a small number of authorized team members may access certain data to provide support, maintain the platform, or meet legal obligations, and all access is logged and audited.

We monitor our systems continuously and follow a documented incident response plan. If an incident affects your data, we investigate, contain, and remediate the issue, and notify you in line with our contractual and legal obligations, including any required regulator or client notifications.