Common Security Questions About TherapyAppointment

info Note:

All information below is provided solely regarding the internal TherapyAppointment systems, database, integrations, and network. All customers are responsible for reviewing and assessing the security of their own internal systems and security practices and vetting the security of their other vendors independently.

All data that is shared with TherapyAppointment is stored and processed in North America

Servers and networks reside in US-based data centers within the Amazon Web Service (AWS) cloud. Core staff are located in the US and Canada. Third-party data processors that integrate with the TherapyAppointment portal are also US and Canada-based.

Privacy and security standards extend to third-party relationships

TherapyAppointment conducts reviews of third party software and computing vendors to ensure that they satisfy compliance requirements and are equipped to provide a similar level of protection to customer content. All third party vendors that store, process, access, or manage PHI on TherapyAppointment’s behalf are required to enter into a HIPAA Business Associate Agreement that extends the privacy and security standards required by the application. 

Servers and networks leverage redundant designs to maximize availability

All servers and networks are distributed across at least two AWS availability zones to limit the risk of application downtime. File and database content for our systems is replicated automatically by AWS across three availability zones.

Customer content is protected by a multi-layer backup strategy

Customer content and other critical data is backed up nightly to Amazon-managed storage within the same region and retained for a minimum of 35 days. For most types of information, our team is able to perform a point-in-time restore from backup to any moment within the past month.


In addition to these backups, TherapyAppointment replicates a secondary copy of all customer data in real-time to a geographically separate location to aid recovery in the event of a major failure or natural disaster. 

TherapyAppointment leverages industry validated encryption solutions to protect all data transmitted or stored by the system.

Where possible, we leverage native AWS encryption, which is built upon strong foundations and has been vetted time and again by industry experts. To ensure security and enforcement of our policies, we retain control over keys that are used by AWS for encryption. 


All customer content is covered by at least one layer of 256-bit AES encryption. For some particularly sensitive types of data, secondary encryption occurs within the application before data is stored in our database.


TherapyAppointment enforces encryption of network connections between the user and AWS as well as connections between the different components of the system. The primary encryption protocol for network traffic is TLSv1.2 though we also rely on SSH and other industry standard protocols for administrative purposes. In all cases, we harden the encryption configuration against known weaknesses and vulnerabilities.

TherapyAppointment conducts regular scans for its system and network. 

Periodic vulnerability scans or penetration testing are done on a regular, scheduled basis to assess network computing and physical and system architecture for weaknesses and to identify software dependencies that may require updates.

Security and privacy are woven into the application design and development process

TherapyAppointment’s core values include respecting provider control of their data and protecting the confidentiality and security of patient data. These values actively drive decision-making about the product and are actively evaluated when considering new features. 


TherapyAppointment has established software security standards and development processes to reduce the risk of critical vulnerabilities being introduced in our software.

TherapyAppointment provides customers tools to secure their own use of the system

We require customers to assign unique users and passwords to each member of their team, while providing free accounts for non-clinical staff to encourage compliance. TherapyAppointment provides multiple job-based roles and permissions enabling practice owners to grant the right level of access to each user in their account. 


All users are required to set a 12-character or stronger password and are encouraged to add additional protection to their account using multi-factor authentication. Customers are provided access to audit logs, which can be used to monitor logins and other activity within the practice and identify potential misuse. 


Practice owners also have the ability to configure and enforce security and compliance settings for their staff, including:


  • Automatically sign users out after a period of inactivity (up to one hour)
  • Require multi-factor authentication
  • Disable accounts automatically after 90 days of inactivity

For advanced use-cases, we offer options and support for logging into TherapyAppointment through external identity providers using Open ID Connect (OIDC, such as Okta or Microsoft Entra).