JotPsych | Security & Privacy — Your Data, Protected at Every Step

Security is not a feature.
It’s the architecture.

JotPsych was designed from day one for behavioral health privacy. Your patients’ data is encrypted, redacted, and deleted — automatically, at every step.

HIPAA Compliant CCPA-Ready Infrastructure GDPR-Compliant Transcription SOC 2 Certified Vendors BAA Standard

Your data is yours.
Period.

We built JotPsych on a simple principle: the less data we hold, the less there is to protect. Audio is deleted. Transcripts are redacted. Notes belong to you. We never train models on your clinical data.

Zero model training — Your clinical sessions are never used to train or fine-tune AI models.
Optional PII redaction — Toggle patient identifier redaction on or off based on your practice’s needs.
Permanent audio deletion — Original recordings are destroyed the moment transcription completes.
BAA for every customer — Business Associate Agreements are standard, not a paid add-on.
You control deletion — Delete your notes at any time. When you delete, it’s gone. No backups, no cold storage tricks.
ENCRYPTED INPUT TLS 1.3 + AES-256 TRANSCRIPTION SOC 2 Certified Vendors SOC 2 • HIPAA-compliant PII REDACTION Optional Toggle Patient identifiers filtered AUDIO DESTROYED HIPAA-COMPLIANT STORAGE US-East • AES-256

How your data flows through JotPsych

Five steps from recording to storage. Every step encrypted, audited, and compliant. Nothing is retained that doesn’t need to be.

Secure Collection
Audio encrypted with AES-256 and stored in our ISO-certified US-based infrastructure.
Transcription & Optional PII Redaction
Our transcription process uses SOC 2-certified services. Optional PII redaction strips patient identifiers before AI processing.
Audio Permanently Destroyed
Original recording is irreversibly deleted. No copies, no backups. The audio is gone forever.
Compliant Note Generation
Redacted transcript processed through HIPAA, CCPA, and GDPR-compliant infrastructure to generate your note.
Encrypted Storage
Notes stored in HIPAA-compliant database with AES-256 encryption. You control retention and deletion.

Compliance at every layer

Enterprise-grade standards from infrastructure to application. Verified, audited, and documented.

Active
HIPAA
Full administrative, technical, and physical safeguards for protected health information. BAA provided to all customers.
Vendor-Certified
SOC 2 Certified Vendors
All critical subprocessors in our infrastructure are independently SOC 2 Type II certified.
Active
CCPA-Ready Infrastructure
Built on CCPA-compliant infrastructure. Our data handling practices are aligned with California consumer privacy requirements.
Active
GDPR-Compliant Transcription
Our transcription process is GDPR-compliant. Infrastructure hosted in the US with EU data protection alignment.
Active
ISO-Certified Infrastructure
Our infrastructure is certified under ISO 27001, 27017, and 27018 for information security management.

Security built into every layer

From the moment a session starts to the moment you delete a note, your data is protected.

End-to-end encryption
TLS 1.2+ in transit and AES-256 at rest. Data is encrypted before it leaves your device and stays encrypted until you access it.
Optional PII redaction
Toggle PII redaction to strip patient names, dates of birth, and other identifiers during transcription — before any AI processing occurs.
Permanent audio deletion
Audio recordings are permanently destroyed immediately after transcription completes. No copies are retained anywhere.
No model training
We never use your clinical sessions, notes, or patient data to train, fine-tune, or improve any AI model. Your data stays yours.
BAA for every customer
Business Associate Agreements are standard — not a premium add-on. Every customer who handles PHI gets a signed BAA.
Custom retention policies
Configure how long notes and transcripts are retained. Set auto-deletion windows to match your state and organizational requirements.
Role-based access controls
Minimum-necessary access enforced at every level. Audit-logged. Clinicians see only their patients; admins see only what they need.
Incident response
Documented breach notification protocol aligned with HIPAA’s 60-day requirement. Internal response team activated within 24 hours.
US-based infrastructure
Our infrastructure is hosted in the US (East Coast) — the same cloud region trusted by the CDC, MedStar Health, and major health systems.
AES-256 at rest
TLS 1.2+ in transit
US-East hosted
SOC 2 certified vendors
Audio auto-deleted

Security & privacy FAQ

Common questions about how JotPsych handles your data, compliance, and patient privacy.

Contact our team

Yes. JotPsych is fully HIPAA compliant. We maintain administrative, technical, and physical safeguards for all protected health information. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We provide signed BAAs to every customer.

No. JotPsych never uses patient data, clinical sessions, transcripts, or notes to train, fine-tune, or improve any AI model. Patient data is processed solely for the purpose of generating your clinical documentation. We also ensure our AI subprocessors do not use your data for training.

Audio recordings are permanently and irreversibly deleted the moment the transcript is completed and verified. No copies are retained in any backup, archive, or cold storage system. This is automatic and cannot be reversed.

Yes. BAAs are standard for all JotPsych customers — they are not a paid add-on. We sign BAAs with every practice that handles protected health information. Contact support@jotpsych.com to initiate yours.

Audio recordings are deleted immediately after transcription. Clinical notes are retained in our HIPAA-compliant database until you choose to delete them. We also offer configurable data retention policies with auto-deletion windows to match your regulatory requirements. Signed notes can be stored with tamper-proof electronic signatures for 7-year compliance retention.

All data is stored on our US-based infrastructure (Northern Virginia), certified under ISO 27001, 27017, and 27018. This is the same cloud region used by the CDC, MedStar Health, and other major healthcare organizations. Data never leaves US-based servers.

All of JotPsych’s critical subprocessors are independently SOC 2 Type II certified. We are happy to share our security posture documentation and vendor certifications upon request.

Have questions about
security and privacy?

Our team is ready to walk you through our security posture, provide compliance documentation, or set up a BAA.

Contact us → Request a demo