Security and Compliance

Security and Compliance Overview

Last updated: May 4, 2026. This overview describes the safeguards EMDRSuite is designed around. It is not a certification or automatic legal compliance claim.

Security posture

EMDRSuite is designed with HTTPS, authenticated therapist areas, random patient session tokens, scoped server routes, privacy-aware logs, and controlled access to clinical notes.

Healthcare privacy

Remote therapy software may be subject to HIPAA, GDPR, local health privacy laws, professional rules, and contractual requirements. Compliance depends on final configuration, policies, contracts, vendor terms, and customer use.

Access control

Therapist dashboards require authentication. Patient access uses temporary session links. Administrative access should be limited to authorized operators and audited as the product matures.

Realtime sessions

BLS commands are transmitted through realtime channels. Clinical notes and patient profile data are stored through server-side routes rather than exposed through public session events.

Data minimization

The platform should avoid collecting unnecessary sensitive information. Therapists should enter only information required for clinical workflow and legal recordkeeping.

Encryption

Traffic should be encrypted in transit with HTTPS. Database encryption at rest and backup encryption should be configured with the production infrastructure provider.

Incident response

A production launch should include incident reporting procedures, breach assessment workflows, vendor contact paths, and customer notification standards.

Legal review

Claims such as HIPAA compliant, GDPR compliant, or medically certified should not be made until reviewed and supported by legal, technical, and operational evidence.