Security documentation

HIPAA Compliance Approach

Coach OS provides the technical safeguards that therapists and healthcare professionals need to handle protected health information (PHI) securely. This page explains what we do, what you need to do, and how we work together to support your compliance.

Important disclaimer

Coach OS is a software platform that provides technical security controls. We are not a Covered Entity or Business Associate under HIPAA. We provide tools that support your compliance program, but HIPAA compliance requires administrative, physical, and technical safeguards working together. You are responsible for your own compliance determination.

Technical Safeguards We Provide

Encryption

  • At rest: AES-256 encryption for all stored data via Supabase (PostgreSQL with Transparent Data Encryption).
  • In transit: TLS 1.2+ enforced on all connections. All API calls, page loads, and data transfers are encrypted.
  • Backups: Database backups are encrypted at rest on Supabase infrastructure.

Access Controls

  • Row-level security (RLS): Every database table has RLS policies. Coaches can only access their own client data. No cross-tenant data leakage is possible at the database level.
  • Multi-factor authentication: TOTP-based MFA via authenticator apps (Google Authenticator, 1Password, Authy). In HIPAA mode, MFA is required and cannot be disabled.
  • Automatic session timeout: Configurable auto-logoff (5 to 120 minutes) with a 60-second warning. Active in HIPAA mode.
  • Portal passwords: Client portals can be protected with individual passwords in addition to email-based access tokens.

Audit Logging

  • Comprehensive logging: All authentication events, settings changes, and account-level actions are logged with IP address and user agent.
  • Enhanced PHI logging (HIPAA mode): When HIPAA mode is enabled, all client data access is logged. This includes viewing client profiles, generating reports, and any data sharing attempts.
  • Exportable audit trail: Data exports include the full audit log for record-keeping.

Automatic Logoff

HIPAA requires that systems terminate sessions after a period of inactivity. Coach OS tracks mouse, keyboard, and scroll activity. After the configured timeout (default 30 minutes), users see a 60-second warning and are automatically signed out if they don't respond. The timeout is configurable from 5 to 120 minutes.

Data Rights and Portability

  • Full data export: Coaches can export all client data (profiles, session notes, goals, messages, forms) as a JSON file at any time.
  • Account deletion: Complete account and data deletion is available from Settings. All associated data is permanently removed.
  • No training on your data: Client data is never used for AI model training without explicit consent.

Infrastructure

  • Supabase: Database and authentication. SOC 2 Type II certified. Offers Business Associate Agreements on Pro plan for HIPAA-covered data.
  • Vercel: Application hosting (compute layer). No PHI is stored in Vercel. It serves as a stateless compute layer, with all data residing in Supabase.

What Coach OS Does vs. What You Must Do

Coach OS provides

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Row-level security and access controls
  • Multi-factor authentication
  • Automatic session timeout
  • Comprehensive audit logging
  • Data export and deletion tools
  • SOC 2 certified infrastructure

You are responsible for

  • Determining if HIPAA applies to your practice
  • Obtaining client consent for data collection
  • Executing a BAA with Supabase (Pro plan)
  • Your own privacy policies and procedures
  • Physical safeguards (securing your devices)
  • Staff training on HIPAA requirements
  • Breach notification procedures

Ready to enable HIPAA mode?

Sign in and go to Settings, then the Security tab. Enable HIPAA mode to activate all technical safeguards automatically.

Get Started FreeLearn more about Coach OS for therapists