About Upheal: How we work with and secure your data

November 9, 2023
min read
About Upheal: How we work with and secure your data

How we work with session data

We recognise that privacy and data security are very much necessary for therapy to be safe and effective. Let’s begin by addressing how we work with private session data and what happens to it. 

As you probably already know, when you want to use Upheal for notes and insights, we need some kind of record of your session, whether that’s audio, video, or an uploaded recording. Otherwise, there would be nothing to create notes or insights from.

Now, let’s use the example of holding your sessions on Upheal in an online format – your video-call creates: an audio recording, a session transcript, progress notes, and analytics. 

For added security and privacy purposes, we delete the audio recording once it’s no longer needed for session processing. We’ve made deleting the recording a default standard. If you, the healing professional, want to keep the audio for supervision or clinical purposes, it’s possible, but necessary to get explicit client consent.

As for the rest, once you edit and finalize the pre-drafted progress notes: the session transcript, analytics, even the notes themselves, can be deleted too. 

We recommend that you delete whatever you feel comfortable with on an individual or practice level, after you submit your notes to the necessary insurance or third-party vendors, of course. 

We’ve made it possible to set this up for your entire practice which means that all of your team members’ transcripts will be deleted automatically once the notes are generated. 


What it is

Delete options

Audio recording

The audio file from your session.

Deleted by default: immediately deleted unless client consent is obtained.

Session transcript

The session is written-out, in dialogue format.

Optional: once the notes and insights are done, you may want to consider deleting transcripts on a case-by-case basis.

Progress notes

The AI-powered and team-approved intake or progress notes.

Optional: Once submitted to insurance, notes can be deleted, however, mandate states that providers keep progress notes for 6-7 years.


Additional objective data points like response time, talking ratio and speech cadence.

Optional: This is entirely up to you, however, please note that deleting notes will also delete your analytics.

* Please note: based on your Upheal plan, you may not have session transcript access.

If you choose not to delete a session transcript, you will have access to this (non-de-identified) transcript for however long you use the app. We do not have access to it ourselves. However, as any cloud service, we must store it somewhere and have made sure to partner with an established, robust secure storage provider – AWS, complete with AES-256 encryption. In addition, AWS environments are continuously audited, with certifications from accreditation bodies across geographies and verticals.

Furthermore, if you ask us to troubleshoot an issue that requires us to potentially access your notes or transcript, based on your request we will first gather explicit consent from you, the healing professional, to make sure that you are comfortable giving us access to this client data. Our staff are fully trained for this and we have a strong protocol in place that follows our privacy policy and HIPAA standards if such a case should arise. 

More on data security and third-parties 

We follow the best industry practices and have an extensive list of certifications when it comes to data protocol and protection. Upheal is HIPAA, PHIPAA, PIPEDA, GDPR, and DPA compliant in the USA, Canada, EU, UK, New Zealand and Australia. We have also received the SOC 2 Type I attestation report. This rigorous, independent assessment of our internal security controls serves as validation of our dedication and adherence to the highest standards for security, confidentiality, availability, privacy, and processing integrity. You can read more here.

In addition, HIPAA regulates how we share data with any third parties. We must enter a BAA (Business Associate Agreement) with any third party that would receive access to, transmit, or store Protected Health Information (PHI) as part of its services for the provider. The BAA agreement effectively extends the responsibility we have over our clients’ data to any third party. This means the third parties have to be legally responsible for their security and privacy practices under HIPAA, the same way we are. An example of a LLM third party we work with is Microsoft Azure. Other third parties must guarantee that they:

  • Aren’t logging any information from or about the data, nor have employees processing session data.
  • Aren’t storing the data, except for our storage provider – AWS. 
  • Aren’t using any data for any AI training of their own.

As a therapist, it can be beneficial to conduct a security risk assessment and document those results. The Office of the National Coordinator for Health Information Technology (ONC) offers a security risk assessment tool that could be used for this purpose. Generally, the more levels of information or moving data around means the more risk of human error. 

What about client data?

In our previous article, we explained that we allow our clients to decide if they want to opt into sharing their session data with us for AI and product improvements. 

We don’t just assume, and we are proud of that distinction.

If clients opt-in to sharing their session data with us, as per our Privacy Policy, we store the session transcript for 1 year and derived datasets for 5 years (see below). As we discussed previously, this is stored in de-identified form. 

Improving the app

Therapy purposes

De-identified transcript data is deleted after 1 year and de-identified derived datasets after 5 years. We delete the data anytime if you withdraw your consent.

Therapists keep data in full until they decide to delete it. Until then it is protected by our HIPAA and Privacy Policies.

Just to help give you an idea, 18 different types of identifiers are removed, including names, telephone numbers, vehicle identifiers, serial numbers, email addresses, medical and social record numbers, and so on, which you can read about here. And finally, we do regular vulnerability testing as part of our development cycle making sure our product doesn't have any known vulnerabilities.

Key takeaways

  • Upheal follows industry best-practices for data protocol and protection. 
  • We conduct regular penetration testing by external security companies. 
  • Upheal is HIPAA, PHIPAA, PIPEDA, GDPR, and DPA compliant. 
  • We do regular vulnerability testing as part of our development cycle.
  • Our security and privacy commitments are constantly being monitored by industry leading compliance software and you can review our security posture anytime at https://trust.upheal.io
  • Upheal deletes audio recordings by default, and offers practice-level transcript deletion.
  • Deleting transcripts, progress notes, and insights is fully possible anytime: If kept, the above are secured with AES-256 encryption and calls are end-end-encrypted.
  • Transcript data is de-identified if kept for AI and product improvements.
  • Analytics can also be deleted anytime.

We hope this helps answer some of your most pressing questions! If you have any more data or privacy related questions, you can peruse our Support center or drop us an email. Next time, we’ll be looking at our obligation to law enforcement. 

Share this post
Your platform for smart therapy
Join the writer's program

Are you a mental health professional who loves writing? Join our guest writing program and get paid for creating amazing articles. We'll share them with the right readers who will appreciate your unique experience and knowledge.

More blog posts