Privacy and compliance

Learn more about how we meet HIPAA, PHIPA, PIPEDA & GDPR regulations while providing you with our service and support to enhance your healthcare and well-being practice.

HIPAA compliantPHIPA compliant
HIPAA, PHIPA & PIPEDA compliant
We carefully follow all HIPAA, PHIPA & PIPEDA standards to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI).
GDPR & DPA compliant
We also follow the data regulations established by the GDPR, UK GDPR and UK DPA to provide important security measures for the protection of personal data of individuals within the EU and UK.
SOC 2 Type II
This independent certification is the gold standard of data protection. Our internal security controls adhere to SOC 2 Type II standards in all 5 trust areas: security, confidentiality, availability, processing integrity and privacy.

Frequently asked questions

Is Upheal HIPAA compliant?

Yes. The Upheal platform empowers healing professionals to concentrate on their services by offering automated notes and analytics for client conversations. As a part of this process, Upheal handles protected health information for practitioners, adhering to HIPAA regulations as a Business Associate.

Upheal fully complies with the HIPAA Security Rule and Privacy Rule, ensuring that clients’ electronic health information (ePHI) is protected with proper administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security.

Our platform provides a secure environment for your ePHI through a combination of technical and nontechnical measures. Learn more here

Is Upheal PHIPA & PIPEDA compliant?

Yes. We have undergone an assessment by a 3rd party auditor which confirmed we are meeting all requirements set by the Personal Health Information Protection Act (PHIPA) and the Personal Information Protection and Electronic Document Act (PIPEDA).

This means that whether you're using our product across Canada or in the province of Ontario, your data remains under the safeguard of the highest privacy protocols.

Is Upheal GDPR & DPA compliant?

Yes. Upheal is fully compliant with the General Data Protection Regulation (GDPR), UK GDPR, and UK Data Protection Act (DPA). We prioritize the privacy and protection of our users' personal data, ensuring that all data processing activities are carried out in accordance with the stringent requirements set forth by these regulations.

Do you have a Business Associate Agreement (BAA)?

Yes. You can find our Business Associate Agreement (BAA) here which governs our cooperation between us as a Business Associate and healing professionals when they are defined as a Covered Entity under HIPAA. All Covered Entities who use our platform agree to the terms of the BAA upon signing up. 

Can Upheal access clients' information stored on the platform?

Personal data processed by the Upheal platform is stored in a pseudonymised format. This means that personal data is not stored in its original form but is instead replaced with a pseudonym or a random identifier. This process ensures that personal data is not directly identifiable, reducing the risk of unauthorized access to sensitive information.

For confidentiality of client information, Upheal implements a strong security culture and access management protocols to effectively prevent unauthorized access to data. Access to personal data is strictly controlled and limited to individuals who require access to perform their job functions. All access to personal data is logged and monitored, and access rights are reviewed regularly to ensure that they are appropriate and up-to-date. Upheal shall only access PHI of a client only if the therapist provides explicit consent for such access. Upheal shall obtain this consent in writing, and shall not access the PHI until such consent is obtained. The therapist shall have the right to revoke their consent at any time, and upon revocation, Upheal shall immediately cease accessing the PHI. 

What additional security measures are employed at Upheal?


At Upheal, we are committed to protecting the data on our platform and have therefore implemented several measures to ensure its security. We understand that trust is critical in our industry, and we are therefore committed to protecting our customers' data:

  • HIPAA, PHIPA & PIPEDA compliant. We comply with the strict standards set by the Health Insurance Portability and Accountability Act (HIPAA), Personal Health Information Protection Act (PHIPA)and the Personal Information Protection and Electronic Document Act (PIPEDA) to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI). Learn more here
  • GDPR compliant. We follow the data regulations established by the GDPR, UK GDPR and UK DPA to provide important security measures for the protection of personal data of individuals within the EU and UK. Combining US and EU standards, we also meet and exceed US state and federal laws for security and privacy of data.
  • SOC 2 compliance. Furthermore, we are working towards obtaining SOC 2, a globally recognized standard for organisational and technical security controls. SOC 2 compliance ensures that our security controls, policies, and procedures are designed to protect customer data against unauthorized access, disclosure, alteration, and destruction. In addition, we use AWS for our cloud infrastructure and storage, a highly secure and reliable vendor. 
  • Availability of personal data. Upheal takes appropriate measures to ensure the availability of personal data. This includes implementing backup and disaster recovery procedures to ensure that personal data is available in the event of an unexpected outage or disaster.
  • Record-level encryption of customer PII and PHI data. This helps to protect data in case of a security breach and ensures that only authorized personnel can access the data. 
  • Security incident readiness. In the event of a security incident, we have a security incident policy and protocol to follow to ensure fast resolution and mitigation of harm to personal data. 


Upheal reviews the platform’s security regularly to ensure that it remains effective and up-to-date.

What are the best practices for me to keep my client’s data safe?

We've put together some best practices to help protect sensitive information while using our platform:

  • Follow security best practices: It is essential to use a strong and unique password for your Upheal account. Make sure it is not shared with any other services and avoid using the same password for multiple accounts. Make sure to also avoid networks susceptible to attack such as public wifi when using the platform.
  • Don't share access: Do not share access to your Upheal account with anyone else, even trusted colleagues. Upheal accounts are designed to be individual, and sharing access can lead to a breach of client confidentiality.
  • Use a HIPAA compliant storage: If you export data from Upheal, make sure you store it on a safe and HIPAA compliant storage. Only use trusted services that are compliant with data protection regulations, like Upheal.
  • Contact us for support: If you have any doubts about the safety or security of your data on the Upheal platform, please contact our support team. We are here to help you keep your client's data safe.


Don’t forget to also follow any security guidelines that may apply to you as a professional in your location. By following these best practices, you can help ensure the security and confidentiality of data while using Upheal. We are committed to maintaining the highest standards of data protection, and we encourage our community to do the same.

Does Upheal help healing professionals collect consents from their clients?

Yes, we offer various methods to collect client consent through the app. It can be shared via email or directly during the call. For more details about the consent collection process, you can visit the support center. Additionally, you can check this Privacy Policy template.