Your Inner World, Safely Held
Therapy sessions contain some of the most intimate information a person has. We built Parts Companion from the ground up with the highest standard of protection that exists — because nothing less is acceptable.
There was no HIPAA-compliant option in IFS technology
When we set out to build Parts Companion, we discovered something troubling: there were no HIPAA-compliant technology platforms designed for IFS therapy or parts work. Practitioners were left choosing between tools that didn't understand their work, or tools that couldn't protect their clients' most sensitive information.
We refused to accept that trade-off. From day one, we made the decision — and the investment — to build on HIPAA-compliant infrastructure at every layer. Not as an afterthought. Not as a premium add-on. As the foundation.
This means every piece of data that flows through Parts Companion — every recording, every transcript, every part name, every reflection — is protected by the same standard of care that governs hospitals and health systems. Because the inner world deserves nothing less.
Six pillars of protection
Every layer of Parts Companion is designed to keep your data safe — from the infrastructure it runs on, to the devices our team uses, to the agreements we hold with every partner.
HIPAA-Compliant Infrastructure
Every service we use — database, file storage, AI processing, authentication — runs on the HIPAA-compliant tier. Not the standard tier with some extra settings. The tier designed for protected health information from the ground up.
Encryption Everywhere
All data is encrypted at rest using AES-256 encryption and encrypted in transit using TLS 1.2+. Your session recordings, transcripts, and notes are unreadable to anyone without proper authorization — including us.
Independent Security Audits
We don't just say we're secure — we prove it. Parts Companion undergoes regular third-party security assessments to identify and address vulnerabilities before they become problems. Trust, but verify.
Business Associate Agreements
We hold signed BAAs with every vendor that touches protected health information — from our AI providers to our database host. These legally binding agreements ensure your data is protected across the entire chain.
HIPAA-Trained Team
Every member of our team — engineers, designers, support — completes comprehensive HIPAA training and understands their personal responsibility in protecting your health information. No exceptions, no shortcuts.
Secured Devices & Access
Every team device uses two-factor authentication, disk encryption, and automatic screen locking. Our systems enforce the principle of least privilege — nobody has access to more than they need to do their job.
Your data is unreadable without authorization
Encryption isn't a feature we added — it's woven into every layer. Here's exactly what that means for your session data.
At Rest
When your data is stored — recordings, transcripts, notes, part descriptions — it's encrypted using AES-256, the same standard used by banks and government agencies. Even if someone gained physical access to our servers, they would see only indecipherable encrypted data.
In Transit
Every connection between your device and our servers, and between our servers and our partners, uses TLS 1.2 or higher. This means your data is protected from interception at every step of its journey — from the moment you upload a recording to the moment you read your session notes.
Upload
TLS 1.2+ encrypted connection from your device
Process
Encrypted channels between our internal services
Store
AES-256 encryption at rest in our database
Access
TLS-encrypted delivery only to authorized users
Every partner is contractually bound to protect your data
We carefully select vendors who offer HIPAA-compliant tiers and sign Business Associate Agreements. Here's a transparent look at our infrastructure partners and what each agreement guarantees.
| Vendor | Purpose | HIPAA Tier | BAA Signed | Data Training |
|---|---|---|---|---|
| Anthropic (Claude) | Session analysis, parts identification, notes | HIPAA-eligible API | ✓ | Contractually prohibited |
| OpenAI | Part image generation, supplementary analysis | HIPAA-eligible API | ✓ | Contractually prohibited |
| Supabase | Database, authentication, file storage | HIPAA & SOC2 compliant | ✓ | N/A — infrastructure only |
| Vercel | Application hosting & deployment | HIPAA-compliant hosting | ✓ | N/A — infrastructure only |
| Inngest | Background processing orchestration | SOC2 compliant | ✓ | No PHI in transit |
AI providers never train on your data
This is one of the most important commitments we make. Our Business Associate Agreements with Anthropic and OpenAI contractually prohibit them from retaining, learning from, or training their models on any data we send them. When Parts Companion analyzes your session, the AI processes it and discards it. Your therapy session does not become part of anyone's training dataset. Ever.
A small team with a serious commitment
Being a small team is actually a security advantage. Fewer people means fewer access points, tighter controls, and more personal accountability. Here's how we operate.
HIPAA Training
Every team member completes formal HIPAA training before accessing any system that touches patient data. This isn't a one-time checkbox — we recertify annually and whenever regulations change. Each person understands exactly what PHI is, how to handle it, and what happens if protocols aren't followed.
Device Security
Every device used for Parts Companion work is protected with two-factor authentication, full-disk encryption, and automatic screen locking. We maintain a device inventory and enforce security policies consistently across the team. Lost or stolen devices can be remotely wiped immediately.
- ✓Annual HIPAA certification for all team members
- ✓Two-factor authentication on every device and account
- ✓Full-disk encryption on all workstations
- ✓Automatic screen lock after inactivity
- ✓Remote wipe capability for lost/stolen devices
- ✓Principle of least privilege — minimum necessary access
- ✓Security incident response procedures documented and drilled
Only the people in the room can see the session
Your session data belongs to you. We enforce strict access controls so that only the practitioner and client involved in a session can view its contents.
Practitioner & Client Only
Session recordings, transcripts, notes, and part information are only accessible to the practitioner and client associated with that session. No other user — not even other practitioners on the platform — can see your data.
Our Team Cannot View Sessions
The Parts Companion team does not have access to session data by default. We've architected our systems so that the people who build the product cannot read the content that flows through it. Your therapy stays between you and your practitioner.
Opt-In Sharing Only
The only exceptions are ones you explicitly choose: donating sessions for research and development, or generating a time-limited sharing link. Both require your active, informed consent — we never presume permission.
Time-Limited Sharing Links
When you create a sharing link, it expires after 30 days. Recipients can view but never edit your notes. Only you, as the session owner, retain full control. You can revoke access at any time before expiration.
We offer BAAs to every US practitioner
If you're a practitioner in the United States, you can sign a Business Associate Agreement with Parts Companion — at no additional cost.
What is a BAA?
A Business Associate Agreement is a legally binding contract required by HIPAA whenever a healthcare provider shares protected health information with a third-party service. It establishes what the service can and cannot do with that data, and holds both parties accountable.
In plain terms: a BAA is Parts Companion's legal promise to protect your client data with the same standard of care that you, as a practitioner, are required to uphold. It means we share responsibility for keeping that data safe.
Why it matters for your practice
Using a technology platform for session recording without a BAA exposes practitioners to significant regulatory risk. With a signed BAA from Parts Companion, you can use our platform with confidence that you're meeting your HIPAA obligations — and that we're meeting ours.
Practitioner
Your HIPAA obligation to protect client PHI
Business Associate Agreement
Legally binds Parts Companion to HIPAA standards
Parts Companion
Shared accountability for your client data
Tools to help you practice transparently
We believe informed consent is essential. That's why we provide practitioners with resources to help their clients understand exactly how their session data is handled.
Client Consent Form
We provide a professionally drafted consent form that practitioners can share with their clients before recording sessions. It explains in clear, compassionate language what Parts Companion does, how data is protected, and what choices clients have.
- ✓Plain-language explanation of data handling
- ✓Details on encryption and access controls
- ✓Client rights and data deletion options
- ✓Link to this privacy page for full details
Built for the therapeutic relationship
We know that introducing technology into a therapy session requires trust — not just between the client and the platform, but between the client and their practitioner. Our consent form is designed to strengthen that trust, not complicate it.
Practitioners can share the consent form alongside a link to this page, giving clients full visibility into exactly how their most sensitive information is being handled. Transparency isn't just a policy for us — it's a practice.
Ownership, deletion, and research
You own your data
In compliance with the General Data Protection Regulation (GDPR), you can request deletion or a full copy of your data at any time by emailing us at hello@partscompanion.org. Your data belongs to you, and we will always honor your right to take it with you or have it removed.
Optional participation in research
Your session recordings and transcripts are secured and not viewable by the Parts Companion team — unless you actively choose to share them with us to support the development of new features.
When providing feedback, you can select "Share for Research and Development" to grant our team temporary access to your transcript. This is always opt-in, always reversible, and always appreciated. Donated sessions help us build better tools for the entire IFS community.
HIPAA compliance isn't free — we chose it anyway
Running HIPAA-compliant infrastructure costs meaningfully more than a standard deployment. HIPAA-tier database hosting, HIPAA-eligible AI APIs, SOC2-compliant orchestration, third-party security audits, legal counsel for BAAs — these aren't cheap line items. They're investments we make every month, deliberately and without hesitation.
We could have built Parts Companion faster and cheaper by cutting these corners. Many companies in adjacent spaces have. We believe that anyone building tools that touch therapy sessions has a moral obligation to protect them with the highest standard available — not the most convenient one.
A different kind of investment
Every dollar we spend on HIPAA compliance is a dollar we're not spending on marketing, features, or growth. We're okay with that. Because when a practitioner trusts Parts Companion with their client's inner world, that trust needs to be earned at every layer — not just the user interface, but the infrastructure underneath it.
Everything you need for HIPAA-compliant practice
Here's a summary of what Parts Companion provides to support your compliance obligations as a healthcare practitioner.
Business Associate Agreement
Available to all US practitioners at no additional cost. Establishes shared legal responsibility for protecting your client data under HIPAA.
Client Consent Form
A ready-to-use consent form you can share with clients. Explains data handling in clear, compassionate language alongside a link to this page.
End-to-End Encryption
All session recordings, transcripts, and notes are encrypted at rest (AES-256) and in transit (TLS 1.2+). Your client data is protected at every stage.
No AI Training on Your Data
Our BAAs with Anthropic and OpenAI contractually prohibit them from using your session data for model training. Your sessions are processed and discarded.
Strict Access Controls
Only the practitioner and client involved in a session can view its contents. Our team cannot access session data without explicit user consent.
Independent Auditing
Regular third-party security assessments verify our compliance posture. We don't just claim security — we submit to external verification.
Questions about our security practices?
We're happy to walk you through our security infrastructure, share our compliance documentation, or help you set up a Business Associate Agreement for your practice.
Contact Our TeamView Terms of Service