Security & compliance
HIPAA and GDPR for therapy software — what PR-TOP offers
Updated: July 2026 · Reviewed by the PR-TOP team
PR-TOP is EU-hosted and GDPR-native. It applies AES application-layer encryption, an immutable audit log, role-based access control, and consent enforcement to all client data. It does not hold HIPAA certification and does not offer a Business Associate Agreement. EU, Ukrainian, Russian, and LATAM practices should use the GDPR Data Processing Addendum included by default.
What HIPAA actually requires
HIPAA (the US Health Insurance Portability and Accountability Act) applies to US-based "covered entities" — healthcare providers, health plans, and healthcare clearinghouses — and their "business associates." It sets administrative, physical, and technical safeguards for Protected Health Information (PHI). If you are a therapist licensed in the US and you process PHI, your software vendors must be willing to sign a Business Associate Agreement (BAA).
Most non-US therapists encounter HIPAA as a question, not a legal obligation. International practitioners — in the EU, Ukraine, Russia, Latin America — are not HIPAA-covered entities. They are subject to their local data protection law: GDPR in the EU, the Law on Personal Data Protection in Ukraine and Russia, and national privacy laws in LATAM countries. For these practices, GDPR compliance is the correct bar, not HIPAA.
PR-TOP is built for this international market. It meets GDPR requirements and applies strong technical controls that parallel many HIPAA safeguards — but it has not been independently audited for HIPAA, and it does not offer the BAA that US covered entities require. This page explains exactly where PR-TOP's controls map to HIPAA expectations, and where the gaps are.
PR-TOP sits between sessions — not just at the note-writing moment. Clients keep a voice, text or video diary via Telegram between appointments. Therapists assign exercises, and clients can send one-tap crisis alerts directly to the therapist's inbox. All of this data flows through the same AES-encrypted application layer, so the between-session record is protected by the same controls as the session transcript.
HIPAA safeguards mapped to PR-TOP controls
| HIPAA safeguard | What HIPAA requires | PR-TOP control | Gap / Notes |
|---|---|---|---|
| Access Control | Unique user IDs, emergency access procedures, automatic logoff | JWT auth with HttpOnly cookies, role-based access (therapist / client / admin), session tokens with expiry | No BAA offered; not independently audited for HIPAA; no automatic logoff timer configured by default |
| Audit Controls | Record and examine activity in systems that contain ePHI | Append-only immutable audit log for all Class A data access (diary, transcripts, notes, summaries) | Audit log is designed to meet this expectation; not formally certified |
| Encryption at Rest | Addressable — encrypt ePHI in storage where reasonable and appropriate | AES application-layer encryption for all Class A data before storage; database holds ciphertext, not plaintext | Meets the addressable standard; encryption is at the application layer, not full-disk |
| Integrity | Protect ePHI from improper alteration or destruction | Immutable audit trail; no edit-in-place on Class A data; deletions are logged | Meets the intent; not formally audited against HIPAA integrity requirements |
| Transmission Security | Protect ePHI transmitted over electronic networks | TLS 1.2+ on all connections, HTTPS-only, no plaintext data transfer | Standard implementation; meets the requirement |
| Business Associate Agreement | Required for covered entities using a business associate's service | NOT OFFERED — PR-TOP is not a HIPAA Business Associate | EU/international practices should use the GDPR Data Processing Addendum instead |
This table maps PR-TOP's existing controls to HIPAA safeguard categories for informational purposes only. It does not constitute legal advice and does not represent HIPAA certification. US covered entities must consult legal counsel before using PR-TOP for PHI.
Why GDPR-first may be the right choice for your practice
GDPR (the EU General Data Protection Regulation) sets a high bar for data processing: lawful basis, data minimisation, purpose limitation, rights for data subjects (access, rectification, erasure, portability), mandatory breach notification, and — for processors — a Data Processing Addendum (DPA). PR-TOP meets all of these requirements by design.
For EU-licensed therapists, GDPR is the binding legal framework. For Ukrainian therapists, the Law on Personal Data Protection applies and is closely aligned with GDPR principles. For LATAM therapists, national frameworks (LGPD in Brazil, Ley 1581 in Colombia, etc.) are either modelled on GDPR or compatible with it. In each case, the correct compliance framework is local law, not HIPAA.
PR-TOP processes all data on EU infrastructure (Hetzner data centres). There are no US-based sub-processors for client data. A Data Processing Addendum is available by default — not on request, not behind an enterprise tier. Clients can exercise GDPR data subject rights (access, rectification, erasure) directly through the therapist dashboard. You can export or wipe an entire client record in one action.
See: GDPR compliance details, data sovereignty, and audit log architecture.
Between-session data: where encryption matters most
Most therapy software focuses on the session record — the note, the transcript, the billing line. The between-session space is where data protection gaps usually appear: informal messages, homework check-ins, and crisis contacts that live in unencrypted consumer apps.
PR-TOP routes all between-session data through the same encrypted application layer as the session record. A client's Telegram diary entry, a completed exercise, a one-tap SOS alert — each is encrypted as Class A data before it reaches the database. The therapist sees a unified, encrypted timeline. There are no unencrypted side-channels.
See also: encryption architecture and AI session notes for therapists.
Frequently asked questions
Is PR-TOP HIPAA compliant?
No. PR-TOP has not been independently audited for HIPAA compliance and does not offer a Business Associate Agreement (BAA). It applies strong technical controls — AES application-layer encryption, immutable audit logging, role-based access control, TLS 1.2+ — that parallel many HIPAA safeguards, but it is EU-hosted and designed primarily for GDPR compliance. US therapists who are covered entities and need a HIPAA-compliant platform with a BAA should use a US-based EHR system.
Does PR-TOP offer a Business Associate Agreement?
No. PR-TOP does not offer a BAA. A BAA is a contractual requirement for US covered entities under HIPAA. PR-TOP is an EU-hosted platform governed by GDPR. For practices that need a data processing contract, PR-TOP provides a GDPR Data Processing Addendum (DPA) by default — included in the Terms of Service, not gated behind an enterprise tier.
What encryption does PR-TOP use?
PR-TOP applies AES encryption at the application layer for all Class A data: diary entries, session transcripts, AI summaries, and private therapist notes. Encryption happens before data reaches the database, so the database stores ciphertext, not plaintext. Class B data (timestamps, metadata, IDs) is access-controlled plaintext. All data transmission uses TLS 1.2+.
Is PR-TOP safe for EU therapists under GDPR?
Yes. PR-TOP is designed and hosted in the EU (Hetzner infrastructure). It processes all client data under a GDPR-compliant framework: lawful basis, data minimisation, data subject rights, and a Data Processing Addendum available by default. There are no third-party analytics trackers — analytics run on self-hosted Umami. You can export or delete a complete client record in one action.
Can US therapists use PR-TOP?
US therapists who are not covered entities under HIPAA (e.g., coaches, certain counsellors, therapists who do not bill insurance) can use PR-TOP and benefit from its strong encryption and GDPR-aligned controls. US therapists who are covered entities and must sign a BAA with their software vendors cannot use PR-TOP for PHI, as PR-TOP does not offer a BAA. Consult your own legal counsel if you are unsure of your HIPAA status.
What data does PR-TOP encrypt?
All Class A data is encrypted with AES at the application layer before storage: client diary entries (text, voice, video), session audio and video files, Whisper transcripts, AI-generated summaries, and private therapist notes. Class B data — timestamps, metadata, identifiers — is access-controlled plaintext. A server breach does not expose the content of client records.
GDPR-first, EU-hosted — try PR-TOP free
The free Trial tier includes the encrypted dashboard, Telegram client bot, diary, exercises, and SOS for a limited number of clients. No credit card required. GDPR Data Processing Addendum included by default.