M E N T R A

Loading

Trust & Security

Your Data is Safe With Us

MentraNote was built with security-first design. Every architectural decision — from storage to AI — prioritizes the protection of your clients' sensitive mental health information.

HIPAA Compliant
AES-256 Encrypted
2FA Enforced
SOC 2 Aligned
BAA Available
Data Security

Enterprise-Grade Security Architecture

Every layer of MentraNote is designed to protect sensitive mental health data from unauthorized access.

AES-256-CBC Encryption

All clinical data — session notes, client records, transcripts — is encrypted at rest using AES-256-CBC with a base64-encoded secret key. Data is never stored in plaintext. Encryption keys are rotated regularly.

TLS 1.3 In-Transit Encryption

All data transmitted between your browser/app and MentraNote servers is protected by TLS 1.3. We enforce HTTPS on all endpoints with HSTS headers. Downgrade attacks are prevented by design.

JWT + 2FA Authentication

MentraNote uses short-lived JSON Web Tokens (JWT) stored in HttpOnly cookies — not localStorage — preventing XSS token theft. Two-Factor Authentication (2FA) is enforced for all accounts.

Role-Based Access Control

Our RBAC system enforces strict data segregation: Therapists see only their own clients, Supervisors access org-wide data, and Organization Admins manage team settings. No cross-account data leakage.

Audit Logs & Compliance Trail

Every access, edit, and deletion of PHI (Protected Health Information) is logged with timestamps, user IDs, and IP addresses. Full audit trails are available to Organization Admins on request.

Secure Cloud Infrastructure

MentraNote is hosted on AWS with Multi-AZ redundancy, automated daily backups, and a 99.9% uptime SLA. Databases use encrypted RDS with VPC isolation and no public internet exposure.

HIPAA Compliance

Built for HIPAA Compliance from Day One

The Health Insurance Portability and Accountability Act (HIPAA) governs how Protected Health Information (PHI) must be stored, transmitted, and accessed. MentraNote was architecturally designed with these requirements in mind.

Business Associate Agreements (BAA)

We sign BAAs with all subscribers, making us a covered Business Associate under HIPAA.

Minimum Necessary Access Principle

Users only access PHI required for their role. No unnecessary data exposure across the system.

Breach Notification Protocol

In the unlikely event of a breach, subscribers are notified within 60 days per HIPAA Breach Notification Rule requirements.

Data Retention & Deletion

Session recordings are flagged for notification at day 335 and automatically deleted at day 365 in compliance with retention policies.

HIPAA Safeguard Summary
Administrative Safeguards
Policies, training, workforce management
Physical Safeguards
Data center security, device controls
Technical Safeguards
Encryption, auth, access controls
Organizational Requirements
BAAs, policies, documentation

All plans include a signed Business Associate Agreement. Request yours at compliance@mentranote.com

Privacy Policy

How We Handle Your Data

What Data We Collect
  • Account information (name, email, professional license)
  • Session notes and clinical data you create
  • Video session recordings (with explicit consent)
  • Usage analytics (anonymized, no PHI)
  • Payment information (processed by Stripe — we never store card numbers)
What We Never Do
  • We never sell your data or your clients' data
  • We never share PHI with third parties without your consent
  • We never use clinical notes to train AI models without opt-in
  • We never store credit card information on our servers
  • We never send marketing emails to your clients
Your Rights
  • Right to access all data we hold about you
  • Right to correct inaccurate information
  • Right to request data deletion (account closure)
  • Right to data portability (export in standard formats)
  • Right to withdraw consent for optional data processing
Trusted Sub-Processors
  • AWS — Cloud hosting and storage
  • Stripe — Payment processing
  • OpenAI — AI note generation (PHI sanitized)
  • Jitsi — Video session infrastructure
  • Resend / SendGrid — Transactional email
AI Ethics

Responsible AI by Design

MentraNote uses AI to assist clinicians — not replace their judgment. We are committed to ethical, transparent, and clinician-controlled AI use in mental health contexts.

AI Assists, Clinicians Decide

Every AI-generated note is presented as a draft for clinician review. Notes are never auto-signed or auto-submitted. You are always in control.

PHI Never Sent to AI Without Sanitization

Before session transcripts are processed by our AI, personally identifiable information is masked. We use de-identification techniques aligned with HIPAA Safe Harbor.

No Training on Your Data (Default Off)

Your clinical notes are never used to train AI models by default. Organizations can opt-in to anonymized model improvement under strict data governance terms.

Bias Monitoring & Clinical Review

Our clinical advisory board regularly audits AI outputs for bias, accuracy, and clinical appropriateness. We maintain an active feedback loop with licensed clinicians.

Security & Compliance Summary
HIPAA Compliance Compliant
AES-256 Encryption at Rest Enabled
TLS 1.3 In-Transit Enforced
Two-Factor Authentication Mandatory
Business Associate Agreement All Plans
Annual Security Audit Completed
Data Residency (US) AWS US-East
Request Security Documentation
Terms of Service

Terms & Conditions

Summary of our key terms. Full legal text available on request.

Subscription Terms

Subscriptions are billed monthly or annually. You may cancel at any time. No refunds for partial months. Upgrade is immediate; downgrade takes effect at next billing cycle.

Account Responsibility

You are responsible for maintaining the confidentiality of your login credentials and for all activity under your account. Multi-therapist accounts must ensure each user has individual credentials.

Acceptable Use

MentraNote may only be used for lawful clinical documentation. You may not reverse-engineer the platform, resell access, or use it for non-clinical purposes. Violations result in immediate termination.

Limitation of Liability

MentraNote is a documentation tool. It does not provide clinical advice. We are not liable for clinical decisions made using AI-generated notes. Always apply professional clinical judgment.

These terms are effective as of January 1, 2025. For full legal text or to request a signed copy, contact legal@mentranote.com.