Security & HIPAA Compliance

Your data is protected. Zero breaches. Ever.

Theryo's Security Commitment

Mental health data is among the most sensitive information you can share. We designed Theryo from the ground up with security as the foundation—not an afterthought.

Our promise:

• 🔒 HIPAA compliant from day one
• 🔒 Bank-level encryption for all data
• 🔒 Zero breaches in our history
• 🔒 Regular third-party security audits
• 🔒 You control your data, always

We don't sell your data. We don't share it. We don't use it for advertising. Period.

HIPAA Compliance Framework

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting sensitive patient health information.

HIPAA requires:

• ✅ Encryption of data in transit and at rest
• ✅ Access controls and authentication
• ✅ Audit trails of who accessed what data
• ✅ Business Associate Agreements (BAAs)
• ✅ Breach notification procedures
• ✅ Patient rights to access and control their data

Theryo meets or exceeds all HIPAA requirements.

Business Associate Agreements (BAAs)

A Business Associate Agreement is a contract between covered entities (like your therapy practice) and service providers (like Theryo) that handle Protected Health Information (PHI).

For Providers:

• BAAs are included with all provider plans
• Available immediately upon request
• No additional cost
• Request by emailing support@theryo.ai with "BAA Request" in subject

What our BAA covers:

• ✅ Our responsibilities for protecting PHI
• ✅ Permitted uses of your client data
• ✅ Breach notification procedures
• ✅ Your right to audit our compliance
• ✅ Liability and indemnification

💡 Best Practice: Request your BAA during onboarding, even if not immediately required. Having it on file protects you.

How We Protect Your Data

Encryption: Multiple Layers

Data in Transit:

• TLS 1.3 encryption for all connections
• Perfect forward secrecy
• HSTS (HTTP Strict Transport Security)
• Certificate pinning on mobile apps

What this means: Data traveling between your device and our servers is encrypted end-to-end. No one can intercept it.

Data at Rest:

• AES-256-GCM encryption for all stored data
• Field-level encryption for sensitive data (journal entries, session notes, PHI)
• Encrypted database backups
• Encryption keys managed separately from data

What this means: Even if someone gained access to our servers (they won't), your data is encrypted and unreadable without encryption keys.

📸 [Diagram: Encryption layers from device to database]

Access Controls

Role-Based Access:

• Clients see only their own data
• Providers see only data from connected clients (and only what clients share)
• Admin users have limited access (support tickets, billing)
• No one at Theryo can read your journal entries or session notes

Authentication:

• Secure password requirements (minimum 8 characters, complexity rules)
• Two-Factor Authentication (2FA) required for all provider accounts
• 2FA available (and recommended) for client accounts
• Session timeouts after inactivity
• Device management (see and revoke logged-in devices)

💡 Enable 2FA: Navigate to Settings > Security > Enable Two-Factor Authentication. Use an authenticator app (not SMS) for best security.

Audit Trails

Every action involving PHI is logged in immutable audit trails.

What we log:

• Who accessed what data
• When they accessed it
• What changes were made
• IP address and device information
• Export/download events

Audit trails are:

• ✅ Tamper-proof (cannot be edited or deleted)
• ✅ Retained for 7 years (HIPAA requirement)
• ✅ Available for compliance audits
• ✅ Exportable by providers

To view your audit trail:

1. Navigate to Settings > Security
2. Click "View Audit Trail"
3. Filter by date range or action type

Infrastructure Security

Where your data lives:

• AWS (Amazon Web Services) data centers in the United States
• SOC 2 Type II certified infrastructure
• Physical security, biometric access controls
• Redundant power, cooling, and network connections
• DDoS protection and network monitoring

Backups:

• Encrypted backups every 6 hours
• 90-day backup retention
• Geographic redundancy (multiple regions)
• Regular restore testing

Disaster Recovery:

• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 6 hours
• Tested quarterly

Your Privacy Rights

What Data We Collect

From Clients:

• Account information (name, email, date of birth)
• Journal entries and mood data
• Goal tracking
• Device and usage analytics (anonymized)

From Providers:

• Professional credentials (license number, NPI, state)
• Client roster (names, contact info for connected clients)
• Clinical documentation (session notes, care plans)
• Usage and billing data

What We DON'T Collect

❌ Social Security Numbers (unless required for billing integration) ❌ Payment card details (processed by Stripe, not stored by us) ❌ Location tracking (beyond timezone for accurate timestamps) ❌ Browsing history outside Theryo ❌ Contacts or photos (unless you explicitly upload them)

Your Rights Under HIPAA

You have the right to:

1. Access Your Data Export all your data anytime:

• Navigate to Settings > Export
• Select data types (journal entries, mood data, analytics)
• Choose date range
• Download in PDF, CSV, or JSON format

2. Correct Your Data Request corrections to inaccurate information:

• Email support@theryo.ai
• Specify what data is incorrect
• We'll update within 5 business days

3. Delete Your Data Request account deletion:

• Navigate to Settings > Account > Delete Account
• Confirm deletion
• Data deleted within 30 days (except what we must retain for compliance)

⚠️ Important: Some data must be retained for legal/compliance reasons:

• Providers: Session notes and clinical documentation (7 years)
• Billing records (7 years)
• Audit trails (7 years)

4. Restrict Use Control what data is shared:

• Clients: Choose what to share with providers
• Providers: Control what clients can see
• Both: Manage notification preferences

→ Learn about data sharing controls

5. Receive Breach Notification If a breach occurs (it hasn't, ever), we notify you:

• Within 60 days of discovery (HIPAA requirement)
• Via email and in-app notification
• With details about what data was affected
• With steps to protect yourself

Privacy by Design

Data Minimization

We collect only what's necessary:

• ✅ Ask for email and password (not phone number)
• ✅ Don't require full address (only timezone)
• ✅ Don't pre-populate forms with unnecessary fields
• ✅ Delete data you explicitly remove (except compliance requirements)

Client-Provider Data Sharing

Default: Private

• Clients: Your journal entries are private unless you explicitly share them
• Providers: Your clinical notes are private unless you share with clients (rarely done)

You control sharing:

• Grant or revoke access anytime
• Share specific entries, not your entire history
• Share analytics summaries without raw data

→ Complete guide to provider connections

Third-Party Services

We use minimal third-party services, all HIPAA-compliant:

Infrastructure:

• AWS (hosting, databases, backups) - BAA in place
• Cloudflare (CDN, DDoS protection) - BAA in place

Business Services:

• Stripe (payment processing) - HIPAA-compliant, BAA in place
• SendGrid (email delivery) - BAA in place
• Sentry (error monitoring - no PHI) - Anonymized data only

We do NOT use:

• ❌ Google Analytics (tracking)
• ❌ Facebook Pixel (advertising)
• ❌ Third-party ad networks
• ❌ Data brokers or resellers

Security Best Practices for Users

Strong Passwords

Create a strong password:

• ✅ At least 12 characters (longer is better)
• ✅ Mix of uppercase, lowercase, numbers, symbols
• ✅ Unique to Theryo (don't reuse from other sites)
• ✅ Use a password manager (1Password, Bitwarden, LastPass)

Avoid:

• ❌ Dictionary words
• ❌ Personal information (birthday, pet name)
• ❌ Simple patterns (123456, password, qwerty)

Enable Two-Factor Authentication (2FA)

2FA adds a second layer of security beyond your password.

How to enable:

1. Navigate to Settings > Security
2. Click "Enable Two-Factor Authentication"
3. Choose method:
   • Authenticator app (Google Authenticator, Authy) - Recommended
   • SMS codes (text message)
4. Scan QR code or enter code
5. Save backup codes in a safe place

💡 Why authenticator apps are better than SMS:

• SMS can be intercepted
• SIM swapping attacks bypass SMS
• Authenticator apps work offline

Manage Logged-In Devices

Review and revoke access from old devices:

1. Navigate to Settings > Security > Devices
2. See all logged-in devices (device type, location, last active)
3. Click "Revoke Access" on devices you don't recognize
4. Your session on that device will end immediately

✅ Best Practice: Review your devices monthly. Revoke access from old phones, shared computers, or unknown devices.

Log Out on Shared Devices

Always log out when using:

• Public computers (libraries, cafes)
• Shared work computers
• Friend or family devices

To log out:

• Click your avatar (top-right)
• Click "Log Out"
• Confirm

💡 Forgot to log out? Remotely log out from Settings > Security > Devices (see above).

Secure Your Email

Your email is the recovery method for your Theryo account. If someone gains access to your email, they can reset your Theryo password.

Protect your email:

• ✅ Use a strong, unique password
• ✅ Enable 2FA on your email account
• ✅ Don't share email credentials
• ✅ Be wary of phishing emails

⚠️ Phishing warning: Theryo will never email asking for your password. If you receive such an email, it's a scam. Forward to support@theryo.ai and delete.

Compliance Certifications

Theryo maintains:

✅ HIPAA Compliance - Independently verified ✅ SOC 2 Type II (in progress) - Security, availability, confidentiality ✅ GDPR Compliance - For international users ✅ PCI DSS Level 1 - Via Stripe payment processor

Regular Audits:

• Annual third-party penetration testing
• Quarterly vulnerability scans
• Monthly security reviews
• Continuous automated monitoring

Incident Response

If we detect a potential breach:

1. Immediate containment - Block attack vectors
2. Investigation - Determine scope and impact
3. Notification - Inform affected users within 60 days (HIPAA requirement)
4. Remediation - Fix vulnerabilities
5. Reporting - Notify HHS (if required), document incident

Our track record: Zero breaches. Ever.

Reporting Security Issues

Found a potential security vulnerability? We want to know.

How to report:

• 📧 Email: security@theryo.com
• 🔐 Use subject line: "Security Vulnerability Report"
• Include:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact info (optional but appreciated)

We will:

• ✅ Acknowledge receipt within 24 hours
• ✅ Investigate promptly
• ✅ Keep you updated on progress
• ✅ Credit you (if you wish) when vulnerability is fixed

We do NOT:

• ❌ Take legal action against good-faith security researchers
• ❌ Charge for vulnerability reports

Frequently Asked Questions

Q: Who at Theryo can see my journal entries? A: No one at Theryo can read your journal entries. They're encrypted with keys we don't have direct access to. Only you (and providers you explicitly share with) can see your journal.

Q: Can my therapist see my private journal entries? A: Only if you explicitly share them. By default, all journal entries are private. You choose what to share and when.

Q: What happens to my data if I cancel my subscription? A: You can export all your data before canceling. After cancellation, we retain data according to HIPAA requirements (7 years for clinical documentation), then permanently delete it.

Q: Is Theryo secure enough for my practice? A: Yes. Theryo meets HIPAA requirements for clinical documentation and PHI handling. Request a BAA from support@theryo.ai.

Q: Do you use my data to train AI models? A: No. Your PHI is never used to train AI models or shared with third parties. AI features process your data in real-time but don't store or learn from it.

Q: Can I use Theryo for telehealth sessions? A: Theryo is for documentation and client engagement between sessions. For HIPAA-compliant video telehealth, use dedicated platforms like Doxy.me or SimplePractice Telehealth.

Q: What if I lose my phone with 2FA enabled? A: Use your backup codes (saved during 2FA setup) to log in. Then disable and re-enable 2FA with your new device. If you lost your backup codes, contact support@theryo.ai for account recovery.

Getting Help

Security Questions:

• 📧 Email: security@theryo.com
• ⏱️ Response time: Within 24 hours for security issues

General Support:

• 📧 Email: support@theryo.ai
• 💬 In-app chat (bottom-right corner)

Emergency Resources:

• 🆘 If you're in crisis, call 988 (Suicide & Crisis Lifeline)
• 🆘 Theryo is not a crisis service

Last updated: February 12, 2026 Was this helpful? Yes | No

Related Articles

• Getting Started with Theryo
• Connecting with Your Provider
• Data Export & Privacy Controls
• Troubleshooting Common Issues

← Back to Documentation Home