Security at MyPsyche

Last updated: 10 June 2026. Everything below is implemented in the product today — no aspirational claims, no badge wall.

Encryption

  • Field-level encryption: client records, notes, questionnaire answers and conceptualizations are encrypted with AES-256-GCM in the application, before they reach the database. This is on top of disk-level encryption — a database snapshot alone does not expose client content.
  • Envelope-encrypted audio: every session recording is encrypted with its own data key, which is itself encrypted by a master key. Withdrawing consent destroys the recording and its transcript.
  • All traffic is TLS; HSTS is enforced with preload.

Access control

  • Tenant isolation: every query is scoped to the owning therapist's account; client records are never reachable across accounts.
  • Sharing is explicit: a client sees an item in their portal only after the therapist shares that specific item; sharing is revocable, and raw session notes are never shareable — only therapist-reviewed summaries.
  • Sessions are revocable server-side; passwords are hashed with argon2id; all links/tokens (questionnaire fill links, portal invites) are high-entropy, expiring, and stored only as SHA-256 hashes.
  • Recording consent is first-class: recordings require documented consent per participant before processing.

Accountability

  • Append-only audit log of security-relevant events: record access, exports, sharing changes, consent changes, AI usage.
  • Rate limiting on authentication, public questionnaire links and AI endpoints.
  • Security headers throughout (HSTS, X-Frame-Options DENY, nosniff, strict referrer policy, locked-down permissions policy).

Honesty section

  • We do not hold ISO 27001 or SOC 2 certifications today and we won't claim badges we don't have. The architecture above is documented and verifiable.
  • Content processed by AI providers is decrypted for that processing; see the AI transparency page for exactly what goes where, retention windows, and the no-training commitments.
  • Responsible disclosure: report vulnerabilities to [SECURITY CONTACT EMAIL]. We respond fast and won't pursue good-faith research.