Our Approach
PsyFi Technologies (DBA; formerly Oaken Cloud Technologies) builds products for behavioral health. We implement administrative, physical, and technical safeguards aligned to HIPAA’s Security Rule. We are not a law firm; the following describes our controls and how we support your compliance program.
Infrastructure
- • Hosted on AWS (VPC isolation, private subnets, security groups, ALB/ACM TLS)
- • Managed PostgreSQL (RDS) with automated backups & encryption
- • Secrets Manager for application secrets and database credentials
- • SSM Session Manager for audited access to instances (no public SSH keys)
Data Protection
- • Encryption in transit: TLS 1.2+ everywhere
- • Encryption at rest: RDS, EBS, and S3 server-side encryption
- • Field‑level protections: optional de‑identification and masking policies
- • Backups: automated snapshots & retention policies; disaster recovery playbooks
Application Security
- • Multi‑tenant isolation enforced in application layer and DB
- • Role‑based access control (company admin, user)
- • SSO/OAuth with Google; optional Two‑Factor Authentication (app or email)
- • Rate limiting, CSRF protection, input validation
Audit & Monitoring
- • Structured application logs with request identifiers
- • Access logs for admin actions, data exports, and login events
- • Infrastructure metrics & alerts (CPU, memory, latency, error rates)
Business Associate Agreement (BAA)
We provide a BAA to covered entities and their business associates using PsyFi Assistant or PsyFi GPT in production. Contact us to initiate the BAA process.
Request a BAAData Retention & Portability
- • Configurable retention windows per workspace
- • Export capabilities (CSV, DOCX/PDF for reports)
- • Account deletion workflow
Note: HIPAA compliance is shared. Your organization must implement appropriate policies (e.g., access control, device security, breach notification). We’re happy to share artifacts (architecture overview, data flows, subprocessor list) under NDA.
