Security

Secure practice management for therapists — how PR-TOP protects client data

Updated: July 2026 · Reviewed by the PR-TOP team

PR-TOP encrypts all client data at the application layer before it reaches the database, stores everything on EU servers, enforces client consent on every data route, and logs every access in an immutable audit trail. Diary, sessions, notes, exercises and SOS alerts are managed from one encrypted workspace — never a generic cloud folder.

What "secure" means in practice management

Most note-taking and EHR tools rely on database-level or transport-level encryption. That means your cloud provider — and anyone who gains access to the database — can read client records in plain text. PR-TOP takes a different approach: every piece of Class A data (client diary entries, session transcripts, private therapist notes, AI summaries) is encrypted at the application layer using AES before it is written to the database. The database itself holds only ciphertext.

Beyond encryption, "secure" in PR-TOP means consent enforcement on every API route. A client's diary cannot be read — even by the therapist who created the workspace — unless the client has explicitly consented via the Telegram bot. Consent can be withdrawn at any time, and withdrawal immediately blocks access. This design reflects Article 9 GDPR requirements for sensitive health data.

Every read, write and delete action on client data is written to an append-only audit log. Therapists can review the full history of who accessed what, when, and from which IP — a requirement for many EU supervisory bodies and professional indemnity insurers.

See the full encryption architecture and audit log documentation.

The client channel: diary, exercises and SOS in Telegram

A secure practice management platform is only useful if clients can interact with it safely. PR-TOP's client interface is a Telegram bot — an app most EU, CIS and LATAM clients already have on their phones. Clients send voice messages, text entries and short video clips between sessions. All diary content is encrypted before storage; the therapist sees it in the dashboard only after the client has consented.

Therapists assign exercises from a multilingual library directly through the dashboard or by messaging the bot. The bot delivers assignments to clients, tracks completion, and surfaces results back in the therapist's session timeline. There is no separate client-facing web app to maintain, no password reset flow to support, and no sensitive data sitting in a standard email thread.

Crisis management is built in. A client can trigger a one-tap SOS from Telegram; PR-TOP routes the alert through all configured channels (dashboard notification, email, secondary SMS if configured) and opens a tracked escalation lifecycle so nothing falls through the cracks. The full SOS history is part of the encrypted, audited client record.

Encryption and data protection

PR-TOP separates data into two classes. Class A data — diary entries, session transcripts, AI summaries, private therapist notes — is encrypted at the application layer with AES before being written to SQLite. Class B data — timestamps, session IDs, metadata — is stored as access-controlled plaintext to allow efficient querying without exposing content.

Uploaded session audio and video files are stored with opaque, randomised IDs. Streaming playback requires a signed access token that expires after a short window, so guessing a file URL does not grant access. Whisper transcription jobs run on the same EU infrastructure; audio is not forwarded to third-party transcription services unless explicitly configured by the operator.

The AI layer is configurable: therapists can choose which LLM provider generates session summaries. No client content is sent to any AI provider until the therapist explicitly requests a summary, and the request is logged in the audit trail.

Full technical details: encryption architecture →

Consent and audit controls

Consent is a first-class concept in PR-TOP. Each client has a consent record stored alongside their profile. Before any Class A data route returns data, the API checks whether current consent exists. If the client has withdrawn consent — or if consent was never given — the route returns an empty response, not an error. This makes consent enforcement testable and auditable.

The audit log captures every data access event: which therapist, which client record, which action (read/write/delete), timestamp, and originating IP. Logs are append-only — they cannot be modified or deleted through the normal application flow. Therapists can export the full audit trail for a client as part of a GDPR Subject Access Request response.

Account deletion is a full wipe: all encrypted Class A data, consent records, audit entries and uploaded files are deleted from the server. A deletion receipt with a cryptographic hash is generated so the therapist has proof of erasure for regulatory purposes.

See also: audit log → GDPR compliance →

EU hosting and data sovereignty

PR-TOP is hosted exclusively on Hetzner infrastructure within the European Union. No client data transits to US-based cloud providers, US-hosted CDNs or US analytics services. The analytics layer uses a self-hosted Umami instance — GDPR-compliant, cookieless, and under the operator's control — rather than Google Analytics or Mixpanel.

A Data Processing Addendum is available by default for all paying plans. Therapists in EU member states can reference the DPA in their own data processing documentation for clients. The operator can also choose to self-host the entire PR-TOP stack on their own EU server, in which case no data leaves their infrastructure at all.

This matters for therapists working under national health authority contracts, school counsellors subject to local authority data governance rules, and any practice registered with a EU supervisory body that audits data residency.

Full details: data sovereignty and EU hosting →

PR-TOP vs non-secure alternatives

FeaturePR-TOPGeneric note appUS EHR (US-hosted)Google/Dropbox storage
HostingEU-only (Hetzner)Varies — often US or mixedUS data centresUS data centres
Encryption modelApplication-layer AES for Class A dataTransport (TLS) onlyDatabase-level or TLS onlyAt-rest (provider holds keys)
Client diary / Telegram botBuilt in — voice, text, videoNot in scopeRare; no Telegram integrationNot in scope
ExercisesMultilingual library + custom; assigned via botNot in scopeSome; separate moduleNot in scope
SOS / crisis alertsOne-tap client SOS → multi-channel notifyNot in scopeSome; phone/pager onlyNot in scope
Consent enforcementAPI-level — blocks reads if consent absentManual at bestVaries; form-basedNone
Audit logImmutable, append-only, exportableNone or basic activity logUsually present; variesActivity log only (Google Workspace)
GDPR DPAIncluded by default (paid plans)Rarely providedSCCs only (US-registered entity)Standard terms; EU SCCs
AI session notesYes — configurable providers, Whisper transcriptionSometimesYes — US-hosted LLMsNo
Self-hostableYes — full stack on your EU serverRarelyNoNo
LanguagesEN / RU / UK / ESUsually English onlyUsually English onlyUI only; no clinical i18n
Analytics trackerSelf-hosted Umami — no cookies, GDPR-compliantGoogle Analytics or similarVariesGoogle

Comparison based on publicly available information as of July 2026. "Generic note app" refers to tools like Notion, Bear, or Obsidian repurposed for clinical notes. "US EHR" refers to typical US-registered EHR/practice-management platforms.

Dive deeper into PR-TOP security

Frequently asked questions

How is PR-TOP more secure than keeping notes in Google Drive or Notion?

Google Drive and Notion use at-rest encryption where the cloud provider holds the keys — a subpoena, a breach, or a misconfigured share can expose plain-text content. PR-TOP encrypts Class A data (diary entries, transcripts, notes, summaries) at the application layer before writing to the database, so the server itself never holds decrypted client content. Access is also consent-gated and every read is logged in an immutable audit trail. Neither Google Drive nor Notion provides GDPR-compliant consent enforcement or an audit log suitable for health data.

Is PR-TOP compliant with GDPR for EU therapists?

PR-TOP is designed GDPR-first: EU-only hosting (Hetzner), a Data Processing Addendum available by default on paid plans, consent enforcement at the API level, full data export and erasure on request, and cookieless self-hosted analytics (Umami). The platform does not use Google Analytics, Facebook Pixel or any other third-party tracker. Therapists in EU member states can reference the DPA in their own controller documentation. Self-hosting is also supported for practices under strict national health authority data governance rules.

What data does PR-TOP encrypt, and what is left unencrypted?

PR-TOP splits data into Class A and Class B. Class A data — client diary entries, session audio/video, transcripts, AI summaries, and private therapist notes — is encrypted at the application layer with AES before it is written to the database. Class B data — session IDs, timestamps, plan metadata, and routing information — is stored as access-controlled plaintext to support efficient queries. No Class A content is ever written to the database in plain text.

What happens when a client withdraws consent?

Consent withdrawal takes effect immediately. Every API route that returns Class A data checks for a valid, current consent record before responding. If consent has been withdrawn, the route returns an empty response — no error, no data. The audit log records the withdrawal event. The therapist can still see that a client record exists and access Class B metadata, but all encrypted content is inaccessible until consent is re-granted.

Can I use PR-TOP's Telegram bot without storing data in the cloud?

Yes, through self-hosting. PR-TOP's full stack — the React dashboard, Node.js API, SQLite database, and Telegram bot — can be deployed on your own EU server. In self-hosted mode, no data leaves your infrastructure. Telegram message payloads pass through Telegram's servers (as with any Telegram bot), but all storage and processing happens on your host. The PR-TOP team provides deployment guides for Dokploy and standard VPS setups.

Does PR-TOP send client data to OpenAI or other AI providers?

Only on explicit request. AI-generated session summaries and note drafts are produced when the therapist clicks "Generate summary" — no automatic background processing happens. The request, the provider used, and the response are logged in the audit trail. The AI provider is configurable: practices with strict data residency requirements can configure a locally-hosted model or a EU-resident provider instead of the default. No client diary content is ever forwarded to an AI provider without a deliberate therapist action.

Start managing your practice securely

The free Trial takes about ten minutes to set up. No credit card required. You get the encrypted dashboard, the Telegram client bot, diary, exercises and SOS for a limited number of clients. Export your data and leave at any time — no lock-in.