Security & Compliance

Vochella operates under a Business Associate Agreement (BAA) with all infrastructure providers. We follow the minimum necessary principle — only the data required for a specific function is ever accessed or transmitted. All protected health information (PHI) is handled according to HIPAA, PHIPA, and PIPEDA requirements.

• BAA in place with all data sub-processors
• Minimum necessary principle enforced at every layer
• PHI never exposed in logs, error reports, or notifications
• Workforce training and documented compliance policies

All data is encrypted both in transit and at rest. API calls are served exclusively over HTTPS with TLS 1.3. Databases use AES-256 encryption at rest. File access (videos, documents) uses time-limited signed URLs that expire automatically.

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for all data at rest
• Signed URLs with 1-hour automatic expiry
• Secure token storage using platform-native keychains

Row-level security (RLS) policies are enforced at the database level — not in application code. Every query is scoped to the authenticated user. Clinicians can only access their own clients. Clients can only see their own data. Every access to sensitive data is logged before it is returned.

• Row-level security on every database table
• Role-based access: clinician, client, admin
• Audit trail for receipts, reports, and PHI access
• Session tokens with automatic expiration and refresh

Vochella is built on Supabase (SOC 2 Type II certified) for database, authentication, storage, and serverless functions. Payments are processed through Stripe (PCI DSS Level 1 compliant). All secrets and API keys are stored in edge functions — never in client code.

• Supabase: SOC 2 Type II, ISO 27001
• Stripe: PCI DSS Level 1 certified
• Edge functions for all server-side secrets
• No client-side exposure of API keys or credentials

When AI features generate session prep briefs or SOAP note drafts, clinical data is processed through our AI provider under a Business Associate Agreement. We apply the minimum necessary standard and strip direct identifiers (such as client names) where technically feasible. All AI processing runs through server-side edge functions.

• Direct identifiers stripped before AI transmission where feasible
• BAA in place with OpenAI — no data used for model training
• Minimum necessary standard applied to all AI requests
• AI processing via edge functions — never client-side

You own your data. At any time, you can export your complete data set — client records, session notes, progress data, and attachments — in standard formats. You can request full account and data deletion. In the unlikely event of a breach, we commit to notification within 72 hours.

• Full data export at any time
• Complete account and data deletion on request
• Breach notification within 72 hours
• Transparent privacy policy with no hidden clauses