Privacy

You don't have to choose between
efficiency and ethics

We built Upheal to protect what matters most: your confidential therapeutic relationships. Your clients' vulnerable moments remain exactly where they belong: within the therapeutic container you've carefully created.

Trusted by

Your sessions won't train our AI

Unlike typical AI scribes, Upheal never uses your sessions to train our platform without explicit permission from you and your clients.

Your clients control their own data

We empower your clients with clear choices about their data privacy, including opt-out options that respect their therapeutic autonomy.

Your data is never for sale

We've built a privacy policy that never allows selling your clients' sensitive information to third parties or data brokers.

Your therapeutic privilege comes first

If subpoenaed, we’ll contact you first (if allowed), upholding your role as the guardian of client confidentiality.

Your security is continuously verified

We invest in regular penetration testing by external security experts, following rigorous OWASP standards to protect your practice.

HIPAA complaint
HIPAA
compliant
PHIPA & PIPEDA complaint
PHIPA & PIPEDA
compliant
GDPR & DPA compliant
GDPR & DPA
compliant
SOC2 compliant
SOC2
certified
Continuously externally tested
Continuously
externally tested

Frequently asked questions

Is Upheal HIPAA compliant?

Yes. The Upheal platform empowers healing professionals to concentrate on their services by offering automated notes and analytics for client conversations. As a part of this process, Upheal handles protected health information for practitioners, adhering to HIPAA regulations as a Business Associate.

Upheal fully complies with the HIPAA Security Rule and Privacy Rule, ensuring that clients’ electronic health information (ePHI) is protected with proper administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security.

Our platform provides a secure environment for your ePHI through a combination of technical and nontechnical measures. Learn more here

Is Upheal PHIPA & PIPEDA compliant?

Yes. We have undergone an assessment by a 3rd party auditor which confirmed we are meeting all requirements set by the Personal Health Information Protection Act (PHIPA) and the Personal Information Protection and Electronic Document Act (PIPEDA).

This means that whether you're using our product across Canada or in the province of Ontario, your data remains under the safeguard of the highest privacy protocols.

Is Upheal GDPR & DPA compliant?

Yes. Upheal is fully compliant with the General Data Protection Regulation (GDPR), UK GDPR, and UK Data Protection Act (DPA). We prioritize the privacy and protection of our users' personal data, ensuring that all data processing activities are carried out in accordance with the stringent requirements set forth by these regulations.

What additional security measures are employed at Upheal?

At Upheal, we are committed to protecting the data on our platform and have therefore implemented several measures to ensure its security. We understand that trust is critical in our industry, and we are therefore committed to protecting our customers' data:

  • HIPAA, PHIPA & PIPEDA compliant. We comply with the strict standards set by the Health Insurance Portability and Accountability Act (HIPAA), Personal Health Information Protection Act (PHIPA)and the Personal Information Protection and Electronic Document Act (PIPEDA) to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI). Learn more here
  • GDPR compliant. We follow the data regulations established by the GDPR, UK GDPR and UK DPA to provide important security measures for the protection of personal data of individuals within the EU and UK. Combining US and EU standards, we also meet and exceed US state and federal laws for security and privacy of data.
  • SOC 2 compliance. Furthermore, we have obtained SOC 2 certification, a globally recognized standard for organizational and technical security controls. SOC 2 compliance ensures that our security controls, policies, and procedures are designed to protect customer data against unauthorized access, disclosure, alteration, and destruction. In addition, we use AWS for our cloud infrastructure and storage, a highly secure and reliable vendor.
  • Availability of personal data. Upheal takes appropriate measures to ensure the availability of personal data. This includes implementing backup and disaster recovery procedures to ensure that personal data is available in the event of an unexpected outage or disaster.
  • Record-level encryption of customer PII and PHI data. This helps to protect data in case of a security breach and ensures that only authorized personnel can access the data. 
  • Security incident readiness. In the event of a security incident, we have a security incident policy and protocol to follow to ensure fast resolution and mitigation of harm to personal data. 


Our systems regularly undergo comprehensive penetration testing by external security firms, following industry-leading OWASP standards. All issues are addressed, and tests are reported in our Trust Center.

Do you have a Business Associate Agreement (BAA)?

Yes. You can find our Business Associate Agreement (BAA) here which governs our cooperation between us as a Business Associate and healing professionals when they are defined as a Covered Entity under HIPAA. All Covered Entities who use our platform agree to the terms of the BAA upon signing up. 

Can Upheal access clients' information stored on the platform?

Personal data including protected health information (PHI) processed by the Upheal platform is stored in a pseudonymized format. This means that personal data is not stored in its original form but is instead replaced with a pseudonym or a random identifier. This process ensures that personal data is not directly identifiable, reducing the risk of unauthorized access to sensitive information.

Upheal only accesses a client’s protected health information (PHI) when it’s necessary in investigating a technical issue that a care provider reports to Upheal Support. Most technical problems are solved without any access to PHI, but sometimes, we need to see some details to understand exactly what went wrong. The Upheal Support team who may access PHI are HIPAA-trained engineers and act in line with our SOC 2 Type II attestation. They do not share, sell, or expose your data to others.

Access to personal data is strictly controlled and limited to individuals who require access to perform their job functions. All access to personal data is logged and monitored, and access rights are reviewed regularly to ensure that they are appropriate and up-to-date.

Does Upheal help healing professionals collect consents from their clients?

Yes, we offer various methods to collect client consent through the app. It can be shared via email or directly during the call. For more details about the consent collection process, you can visit the support center. Additionally, you can check this Privacy Policy template.

Choose a partner, not just a product.

Your clients trust you with their most vulnerable moments, and you deserve supportive technology that honors that trust as seriously as you do. When you're choosing a tool, ask the difficult questions, read the privacy policies, and demand transparency.