Loading
MentraNote was built with security-first design. Every architectural decision — from storage to AI — prioritizes the protection of your clients' sensitive mental health information.
Every layer of MentraNote is designed to protect sensitive mental health data from unauthorized access.
All clinical data — session notes, client records, transcripts — is encrypted at rest using AES-256-CBC with a base64-encoded secret key. Data is never stored in plaintext. Encryption keys are rotated regularly.
All data transmitted between your browser/app and MentraNote servers is protected by TLS 1.3. We enforce HTTPS on all endpoints with HSTS headers. Downgrade attacks are prevented by design.
MentraNote uses short-lived JSON Web Tokens (JWT) stored in HttpOnly cookies — not localStorage — preventing XSS token theft. Two-Factor Authentication (2FA) is enforced for all accounts.
Our RBAC system enforces strict data segregation: Therapists see only their own clients, Supervisors access org-wide data, and Organization Admins manage team settings. No cross-account data leakage.
Every access, edit, and deletion of PHI (Protected Health Information) is logged with timestamps, user IDs, and IP addresses. Full audit trails are available to Organization Admins on request.
MentraNote is hosted on AWS with Multi-AZ redundancy, automated daily backups, and a 99.9% uptime SLA. Databases use encrypted RDS with VPC isolation and no public internet exposure.
The Health Insurance Portability and Accountability Act (HIPAA) governs how Protected Health Information (PHI) must be stored, transmitted, and accessed. MentraNote was architecturally designed with these requirements in mind.
We sign BAAs with all subscribers, making us a covered Business Associate under HIPAA.
Users only access PHI required for their role. No unnecessary data exposure across the system.
In the unlikely event of a breach, subscribers are notified within 60 days per HIPAA Breach Notification Rule requirements.
Session recordings are flagged for notification at day 335 and automatically deleted at day 365 in compliance with retention policies.
All plans include a signed Business Associate Agreement. Request yours at compliance@mentranote.com
MentraNote uses AI to assist clinicians — not replace their judgment. We are committed to ethical, transparent, and clinician-controlled AI use in mental health contexts.
Every AI-generated note is presented as a draft for clinician review. Notes are never auto-signed or auto-submitted. You are always in control.
Before session transcripts are processed by our AI, personally identifiable information is masked. We use de-identification techniques aligned with HIPAA Safe Harbor.
Your clinical notes are never used to train AI models by default. Organizations can opt-in to anonymized model improvement under strict data governance terms.
Our clinical advisory board regularly audits AI outputs for bias, accuracy, and clinical appropriateness. We maintain an active feedback loop with licensed clinicians.
Summary of our key terms. Full legal text available on request.
Subscriptions are billed monthly or annually. You may cancel at any time. No refunds for partial months. Upgrade is immediate; downgrade takes effect at next billing cycle.
You are responsible for maintaining the confidentiality of your login credentials and for all activity under your account. Multi-therapist accounts must ensure each user has individual credentials.
MentraNote may only be used for lawful clinical documentation. You may not reverse-engineer the platform, resell access, or use it for non-clinical purposes. Violations result in immediate termination.
MentraNote is a documentation tool. It does not provide clinical advice. We are not liable for clinical decisions made using AI-generated notes. Always apply professional clinical judgment.
These terms are effective as of January 1, 2025. For full legal text or to request a signed copy, contact legal@mentranote.com.