Find CareGet Started
HIPAA & Security

HIPAA, security, and compliance.

Psych Hub's compliance posture in one place — for procurement, security reviewers, and existing customers' annual checks.

Request a BAA or SOC 2 report
At a glance

Our compliance posture.

HIPAA

Compliant. Business Associate Agreements (BAAs) available where Psych Hub usage involves Protected Health Information.

SOC 2 Type II

Annually audited. Current report available under NDA to prospective and existing enterprise customers.

Encryption

TLS 1.2+ in transit. AES-256 at rest in cloud-provider-managed services.

SSO & audit logs

SAML / OIDC single sign-on and admin audit logs available on Enterprise plans.

HIPAA in detail

Psych Hub treats Protected Health Information (PHI) consistent with HIPAA's Privacy and Security Rules. We sign Business Associate Agreements (BAAs) with covered entities and business associates whose Psych Hub usage moves PHI through the platform. If you're unsure whether you need a BAA, ask — we'd rather sign one and not need it than need it and not have it. To request a BAA, email security@psychhub.com with your organization name and use case. We send a draft within five business days.

SOC 2 Type II

Psych Hub maintains a SOC 2 Type II report covering Security, Availability, Confidentiality, and Processing Integrity. The current report is available under a mutual NDA to prospective and existing enterprise customers. To request the report, email security@psychhub.com. We send the most recent report after countersigning the NDA.

Subprocessors

We maintain a current list of subprocessors used to operate Psych Hub. Material additions are communicated to enterprise customers in advance, consistent with BAA and Data Processing Agreement terms.

Data handling

All data in transit uses TLS 1.2 or higher. Data at rest is encrypted with AES-256 in our cloud provider’s managed services. SSO via SAML or OIDC is available on Enterprise plans (150+ seats). Admin audit logs are available to Enterprise admins. Customer data is retained per contract terms; deletion is handled per the Master Purchase Agreement.

Reporting a vulnerability

If you believe you've found a security vulnerability in Psych Hub, email security@psychhub.com with details and a path to reproduce. We respond within two business days and coordinate responsible disclosure. We do not currently operate a paid bug-bounty program.

Need a document for your security review?

BAA, SOC 2 Type II, subprocessor list, and DPA on request. We respond within five business days.

Email security@psychhub.comTalk to our team