Compliance

HIPAA. GDPR. PIPEDA. Built in, not bolted on.

Behavioral health practices serve clients across borders. Praxnote's compliance posture is shipped, workflows for retention, erasure, consent, and residency live in the product, not in a policy PDF.

HIPAA · United States

Six-year retention via redaction-not-deletion. BAA available.

  • All PHI is encrypted at rest, defense-grade
  • All traffic is encrypted in transit
  • Each practice's data is walled off from every other practice
  • The activity log records every time PHI is read or written
  • Inactivity logout (30 minutes by default, configurable)
  • Six-year retention via redaction-not-deletion model
  • BAA available on every paid plan, request here

GDPR · clients in the EU/EEA

Article 17 right-to-erasure, with a redaction workflow that respects HIPAA.

For practices that serve clients with EU/EEA data rights, GDPR Article 17 is a feature, not a policy. Praxnote's erasure workflow lets you scope the request (session notes, transcripts, documents, portal documents, portal messages, assessments, billing narratives), routes it through approval, and removes the client's information while preserving the minimal record-keeping that retention rules still require.

  • Right-to-erasure workflow with scoped checkboxes
  • Praxnote staff review and approve every request before it executes
  • The client's information is removed; the minimal record-keeping retention rules require is preserved
  • An execution summary is returned to the request record
  • The consent log is first-class (type, source, granted/revoked timestamps)
  • The audit log captures every step

PIPEDA · Canada

Canadian residency, Canadian rights, Canadian audit trail.

Praxnote supports practices operating in Canada, with PIPEDA-aligned consent management, residency configuration at the practice level, and erasure workflows equivalent to those used for GDPR.

  • Per-practice data residency setting (US / CA today)
  • UX gating respects residency, clients in Canada see Canadian-residency flows
  • Consent log captures granular consent (treatment, communication, billing, research)
  • Right-to-access and right-to-correction workflows shipped

Operational security commitments

Architecture-level choices that are easier to verify than to claim.

  • No third-party AI middlemen, your data goes straight to the AI vendor and back
  • No Google Fonts; the typefaces you see are served from Praxnote, not from a third party
  • No third-party analytics phone home by default
  • Modern session-based authentication, no passwords to leak
  • Updates roll out without forcing your clinicians to refresh the page mid-session
  • Background processing runs in a separate, isolated environment
  • Every destructive action requires explicit, in-app confirmation

Compliance conversation

Bring your specific scenario to a 30-minute call.

Whether you serve a multi-jurisdiction client base, operate across US and Canada, or need attestations for a specific framework, we'll walk through what Praxnote ships and where customization fits.

Request a BAA Email security questions →