Your clients trust you with their deepest thoughts.
We don’t take that lightly.
HIPAA-Aligned Architecture
PathwayNotes was built with therapist-client confidentiality as the foundation. Not a feature. The foundation.
Here’s what we do and why it matters for your practice: All client data is encrypted from the moment it enters our system. Only you (and clinicians you explicitly authorize) can access client reflections. Your data never leaves your practice’s legal jurisdiction unless you tell us to. And we log everything—so you know exactly who’s seen what, when.
This isn’t compliance theater. It’s real infrastructure built for real therapy relationships.
Security Features
AES-256 Encryption
Industry-standard encryption at rest and in transit. Client notes are encrypted before they leave your computer.
Role-Based Access
You control who sees what. Clinicians in your practice see only their own clients. Admin controls. Simple and granular.
Audit Logging
Every access to client data is logged. You can review who accessed what, when, and for how long. Total transparency.
Data Retention Controls
You set the rules. Auto-delete after 7 years? Done. Keep forever? Your choice. You control the timeline.
Penetration Testing
We run regular security audits. Third-party penetration testing ensures nothing slips through.
SOC 2 Compliance
Working toward SOC 2 Type II certification. Enterprise-grade compliance for therapist-grade care.
How We Handle Your Data
Where it lives
US-based servers (AWS). Data stays in the US unless you explicitly choose otherwise for compliance reasons.
How it's locked
AES-256 encryption at rest. TLS 1.2+ in transit. Encrypted database. Encrypted backups. No plaintext anywhere.
Who can see it
Only you. And clinicians you explicitly authorize in your practice. PathwayNotes staff never sees client data unless you request support (and then only with your permission).
When clients leave
You can delete a client's data on-demand. Or set it to auto-delete after a set period. It's gone—not archived, not hidden, gone.
Business Associate Agreements
If you’re part of a covered entity or HIPAA-regulated organization, you’ll need a Business Associate Agreement (BAA). We have them ready.
BAAs are available for Enterprise plans. Need one? Talk to us. We’ll have it signed within 48 hours.
Security Questions
Yes. All data is stored on US-based AWS servers. We don't move data internationally without explicit permission from you.
Absolutely. You can delete any client's data on-demand. It's permanently removed from our servers and backups within 30 days. Or set it to auto-delete after a certain period (7 years, 10 years, etc.)
Only you, and any clinicians you explicitly invite to your practice workspace. We never see client data. Your team can see only their own clients—no cross-client access.
No. Never. We don't sell data. We don't share it with third parties. We don't use it for training AI models. Client data is yours alone.
Your data is yours. You have 30 days to download or delete everything. After 30 days, we delete it automatically. No hostage situations.
In the unlikely event of a breach, we notify you immediately—within 24 hours—and provide a detailed report. We have cyber insurance and a documented incident response plan.
Ready to keep your clients' breakthroughs safe?
Start your free trial. No credit card required. Build your first practice workspace in 3 minutes.