Security & Compliance

Our Approach

PsyFi Technologies (DBA; formerly Oaken Cloud Technologies) builds products for behavioral health. We implement administrative, physical, and technical safeguards aligned to HIPAA’s Security Rule and industry best practices.

Infrastructure

• • Hosted on AWS (VPC isolation, private subnets, security groups, ALB/ACM TLS)
• • Managed PostgreSQL (RDS) with automated backups & encryption
• • AWS Secrets Manager for application secrets and database credentials
• • AWS Systems Manager Session Manager for audited access (no public SSH keys)

Data Protection

• • Encryption in transit: TLS 1.2+ everywhere
• • Encryption at rest: RDS, EBS, and S3 server-side encryption
• • Field-level protections: optional de-identification and masking policies
• • Backups: automated snapshots & retention policies with disaster recovery playbooks

Application Security

• • Multi-tenant isolation enforced in the application layer and database
• • Role-based access control (company admin, user)
• • SSO/OAuth with Google and optional Two-Factor Authentication (app or email)
• • Rate limiting, CSRF protection, and input validation across endpoints

Audit & Monitoring

• • Structured application logs with request identifiers
• • Access logs for admin actions, data exports, and login events
• • Infrastructure metrics and alerts (CPU, memory, latency, error rates)

Business Associate Agreement (BAA)

We provide a BAA to covered entities and their business associates using PsyFi Assistant or PsyFiGPT in production. Contact us to initiate the BAA process.

Data Retention & Portability

• • Export capabilities (CSV, DOCX/PDF for reports)
• • Account deletion workflow

At a Glance

• • TLS 1.2+
• • AES-256 at rest
• • OAuth2 / 2FA
• • VPC isolation
• • BAA available