Security & Compliance

SecurePractice signs Business Associate Agreements (BAAs) and aligns operational processes to HIPAA administrative, physical, and technical safeguards. Customer data is hosted on HIPAA-eligible Google Cloud services covered under a BAA, and access is limited to authorized personnel on a least-privilege basis as needed to operate and support the service.

• BAA-backed operations with least-privilege access for support.
• Role-based access controls and audit trails for sensitive workflows.
• PHI-aware safeguards for features that may contain regulated data.

Key application events--such as uploads, deletions, checklist updates, and incident activity--are recorded with timestamps and user attribution. Access and administrative activity in underlying Google Cloud services is captured via Google Cloud audit logging. Log retention is configured to support HIPAA documentation needs, including long-term retention where required.

• User-attributed event history across uploads, incidents, and checklist workflows.
• Logs can be provided to support investigations and external reviews.
• Cloud audit logging retained in accordance with our documented retention policy (including long-term retention where required).

Data is encrypted in transit (TLS) and at rest. We rely on Google Cloud managed services, restricted service accounts, and controlled configuration/secrets handling to operate the platform with minimal data exposure.

• Encryption in transit and at rest for app data and file storage.
• Restricted service accounts and least-privilege access controls.
• Service durability and redundancy provided by underlying Google Cloud services.

We use modern identity and access controls, including multi-factor authentication support, scoped permissions, and regular dependency updates. Customer-tenanted data access is enforced through Firebase Security Rules and server-side authorization checks where applicable.

• MFA-capable authentication with role-based authorization checks.
• Authorization enforced via org membership and plan entitlements.
• Routine security updates for dependencies and infrastructure tooling.

We minimize the data we collect and use it only to operate the service. Support channels are treated as non-PHI and customers should avoid sending any Protected Health Information (PHI) in support requests.

• Transparent privacy practices documented in our public policies.
• No selling of customer data; limited use for service delivery and support.
• Clear PHI guidance and in-app warnings to help users avoid putting sensitive data in the wrong place.

If you believe you've found a security issue, please tell us so we can fix it quickly. Contact our security team directly so your report gets prioritized.

• Report suspected issues to security@securepractice.app.
• Include steps to reproduce, affected areas, and any available evidence.
• We'll acknowledge receipt and provide status updates while we investigate.