Emosapien is built for mental-health professionals who work with highly sensitive client data. Every session, note and check-in is protected with privacy-first design, end-to-end encryption and continuous monitoring powered by Beam9. Security is built into every AI therapy feature, not bolted on after the fact.
OUR SECURITY PRINCIPLES
Therapy runs on trust, privacy and psychological safety
Emosapien treats all client-identifying information as highly sensitive clinical data, not just "app content".
Client confidentiality first
we handle client data as PHI or its equivalent under local laws.
Minimal data, maximum value
we only collect what we need to deliver the service.
No selling or brokering of data
we never sell, rent or trade session or client data.
Security and usability together
AI tools are only useful if they are safe for you and your clients.
Secure by Design
Certified HIPAA, ISO 27001 & GDPR: independently audited for regulated healthcare environments.
Designed for regulated healthcare environment
Emosapien is HIPAA, ISO 27001 and GDPR certified, and is designed for regulated healthcare environments. We support clinicians working under:
- HIPAA / HITECH (US) — safeguards for confidentiality, integrity and availability of PHI.
- GDPR and UK GDPR / DPA — lawful basis, data minimisation, purpose limitation and data-subject rights.
- Australian Privacy Principles (APPs) — alignment with consent, collection, use and disclosure requirements.
Independent Certifications
SOC 2 Type II
Independent auditors have verified our security, availability, and confidentiality controls. Contact us anytime to request the complete SOC 2 report.
Request SOC2 ReportLast audited: Feb 2026
ISO/IEC 27001:2022
Our information-security management system meets the latest ISO 27001 standard. Reach out now for the certificate and Statement of Applicability.
Request ISO 27001 CertificateLast audited: Feb 2026
HIPAA / HITECH
End-to-end encryption, strict access controls, and signed BAAs keep PHI fully protected. Request our HIPAA/HITECH compliance packet whenever needed.
Request HIPAA Report
GDPR & CCPA
Privacy-by-design, data-subject rights workflows, and regional processing keep us GDPR and CCPA ready. Ask for our detailed compliance summary today.
Request Compliance SummaryPrivacy and Compliance
Data Residency
Choose US-East, EU-West, or Sydney. No cross-region replication unless you enable resilience.
Retention & Deletion
Configurable retention down to 0 days; cryptographic shredding at expiry.
Data Subject Rights
Built-in workflows for access, erasure, and rectification with API integration.
Legal Frameworks
Standard Contractual Clauses (EU), DPAs, and BAAs ready for signature.
Approved Sub‑Processors
| Service | Purpose | Location |
|---|---|---|
| AWS | Primary infrastructure | USA, EU, AUS |
| Azure | Secondary infrastructure | USA, EU, AUS |
| Cloudflare | WAF and CDN | Global |
| SendGrid | Email notifications | USA |
| Sentry | Error monitoring | USA |
We provide 30-day advance notice before adding any new sub-processor.
Get in Touch
Found a vulnerability or have a question? Email security@emosapien.com. We acknowledge reports within 24 hours and coordinate fixes under responsible disclosure.
Frequently Asked Questions
Quick answers to the most common security, privacy, and compliance questions about Emosapien
Yes. Emosapien is independently certified against HIPAA requirements, ISO 27001 for information security, and GDPR. That means our controls, processes, and documentation are regularly reviewed against recognized global standards.
No. We do not use your client session content, notes, or recordings to train any global foundation model by default. If we ever offer tenant-specific fine-tuning, it will be optional, off by default, and protected with strict safeguards.
You do. Your organization remains the data controller and fully owns your client data. Emosapien acts as a processor or service provider, using your data only to deliver and support the service you've signed up for.
We aim to keep data within regions that align with your regulatory obligations, such as Australia, the EU, or the US. If you have specific data residency requirements, you can contact us and we'll confirm the current options for your organization.
Our default retention is designed to support clinical documentation and legal requirements without storing data longer than necessary. You can request deletion of specific clients, sessions, or your entire account, subject to legal and contractual retention rules. Deleted data is removed from active systems and then from backups after the retention window.
Access is strictly limited on a need-to-know basis and governed by least-privilege controls. Only a small number of authorized team members may access certain data to provide support, maintain the platform, or meet legal obligations, and all access is logged and audited.
We monitor our systems continuously and follow a documented incident response plan. If an incident affects your data, we investigate, contain, and remediate the issue, and notify you in line with our contractual and legal obligations, including any required regulator or client notifications. You can find more about Emosapien's Privacy Policy here.