Security & privacy
NFable treats all patient content as PHI and is designed for HIPAA from the first line.
Data protection
- PHI is encrypted in transit and at rest.
- PHI is never written to logs, analytics, or crash reports.
- Intention dialogue and journal entries are the most sensitive data we hold and are protected accordingly.
Business associate posture
- NFable is BAA-ready. A signed BAA precedes any PHI exchange.
- AI processing runs under a BAA-covered path with a no-training-on-PHI term.
- A subprocessor list is available under BAA.
Clinical authority
The clinic is the clinical authority. NFable supports the work around the session. It does not treat, diagnose, or monitor. Concerning content is routed to your clinical team per your protocol.
Roadmap
SOC 2 is on the roadmap; this page will track that posture as it matures.