Security & Compliance

Last updated: February 28, 2026

CBT Assistant Pro is built from the ground up with clinical security in mind. We understand that therapists handle some of the most sensitive information in healthcare — Protected Health Information (PHI). Every architectural decision, from encryption to access control, is designed to meet or exceed the requirements of HIPAA, GDPR, and industry best practices.

Compliance Standards

HIPAA

Health Insurance Portability and Accountability Act

  • §164.312(a) — Access control with unique user IDs and session management
  • §164.312(b) — Audit controls with comprehensive activity logging
  • §164.312(c) — Integrity controls with encrypted storage and versioned data
  • §164.312(d) — Authentication with bcrypt password hashing (cost factor 12)
  • §164.312(e) — Transmission security with TLS 1.3 and certificate validation
  • §164.308(a)(5) — Security awareness with automatic PHI redaction in logs

GDPR

General Data Protection Regulation (EU)

  • Article 17 — Right to erasure (full account deletion)
  • Article 20 — Right to data portability (full data export)
  • Article 25 — Data protection by design and by default
  • Article 32 — Security of processing with encryption and access controls
  • Cookie consent with transparent disclosure
  • Explicit consent gate for voice recording features

Encryption

Data at Rest

  • Database: Amazon Aurora PostgreSQL with AES-256 encryption using customer-managed AWS KMS keys with automatic annual rotation
  • File Storage: Amazon S3 with SSE-KMS encryption using dedicated customer-managed keys
  • Secrets: All credentials stored in AWS Secrets Manager, encrypted with a dedicated KMS key
  • Backups: Database backups encrypted at rest with 30-day retention

Data in Transit

  • HTTPS Only: All traffic encrypted with TLS 1.3 (policy: ELBSecurityPolicy-TLS13-1-2-2021-06). TLS 1.0 and 1.1 are blocked.
  • HSTS: Strict-Transport-Security header with 1-year max-age, includeSubDomains, and preload
  • Database: SSL/TLS required for all PostgreSQL connections with AWS RDS CA certificate validation
  • S3: Bucket policy enforces TLS — non-encrypted connections are denied
  • HTTP Redirect: All HTTP requests automatically redirect to HTTPS (301)

Authentication & Access Control

  • Password Hashing: bcrypt with cost factor 12 (HIPAA-appropriate)
  • Password Policy: Minimum 8 characters with at least 3 of 4 complexity categories (uppercase, lowercase, number, special character)
  • Session Management: Server-side sessions stored in PostgreSQL with 12-hour expiry and maximum 5 concurrent sessions per user
  • JWT Tokens: HS256-signed with runtime-validated secrets (hard-fails if missing)
  • Cookie Security: HttpOnly, Secure, SameSite=Lax flags on all authentication cookies
  • CSRF Protection: Double Submit Cookie pattern with timing-safe comparison
  • Google OAuth: Available as an alternative sign-in method with proper CSRF state parameter validation
  • Brute-Force Protection: Rate limiting on login (7 attempts/10 min), sign-up (5/15 min), and password reset (5/15 min) with automatic lockout periods
  • Account Enumeration Prevention: Password reset always returns generic responses regardless of email existence
  • Session Revocation: All sessions automatically revoked on password reset; individual session management available

Infrastructure Security

  • Cloud Provider: Amazon Web Services (AWS) — SOC 1/2/3, ISO 27001, HIPAA-eligible services
  • Network Isolation: Three-tier architecture with ALB in public subnets, application and database in private subnets (no public IP addresses)
  • VPC Endpoints: Private network connectivity to AWS services (Secrets Manager, ECR, S3, CloudWatch) — no internet traversal
  • Web Application Firewall: AWS WAF v2 with rate limiting (2,000 requests/IP) and AWS Managed Common Rule Set
  • Container Security: Application runs as non-root user (UID 1001) in AWS Fargate containers
  • Security Groups: Least-privilege network rules — database only accessible from application tier, application only from load balancer
  • Image Scanning: ECR scan-on-push enabled for container vulnerability detection

Audit Logging & Monitoring

  • Application Audit Trail: Every PHI access, creation, modification, deletion, and export is logged with user ID, IP address, user-agent, and timestamp (HIPAA §164.312(b))
  • Authentication Events: All login attempts (successful and failed), logouts, and password changes are audit-logged
  • AWS CloudTrail: Immutable record of all AWS API calls with log file validation enabled and 7-year retention
  • Database Logging: PostgreSQL audit logs (all statements, connections, disconnections) exported to CloudWatch
  • PHI Redaction: Automatic redaction of sensitive fields (names, diagnosis, medication, notes, SSN, etc.) in application logs
  • Container Insights: Infrastructure-level monitoring for CPU, memory, network, and storage metrics
  • S3 Versioning: Document storage maintains version history — files cannot be silently modified or deleted

Browser Security

Content-Security-Policy:default-src 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
X-Frame-Options:DENY
X-Content-Type-Options:nosniff
Referrer-Policy:strict-origin-when-cross-origin
Permissions-Policy:camera=(), microphone=(self), geolocation=()

Your Data Rights

  • Data Export: Download a complete copy of all your data at any time (clients, sessions, formulations, assessments, treatment plans)
  • Account Deletion: Permanently delete your account and all associated data with confirmation safeguard
  • Cookie Transparency: We use only strictly necessary cookies. No tracking or marketing cookies.
  • Voice Consent: Explicit opt-in required before any voice recording or transcription features are activated

Questions?

If you have questions about our security practices or need to report a security concern, please contact us at info@cbtassistantpro.com