Security & trust
Built for the most sensitive data there is.
AllAlong handles the space between therapy sessions, so we hold ourselves to a simple rule: say exactly what we do today, and label everything else as a commitment. No borrowed badges.
What is true today
Not promises — how the product is built right now.
We never keep the session
Raw audio and transcripts are never stored. They pass through once to produce the plan and non-verbatim notes — then they're gone. We keep the therapist-approved output, not the conversation.
Patients are pseudonymous by design
AllAlong never asks for a patient's name. Records are kept against an alias and an internal ID chosen by the therapist.
Crisis safety is code, not AI
Every patient message is screened by deterministic logic before any AI sees it. Crisis responses — verified local crisis lines, immediate therapist alert — are hardcoded and cannot be improvised by a model.
The agent never authors clinical content
Patients only ever receive what their therapist wrote: the tools, the plan, the exercises. AI classifies and organises; it does not advise. This is enforced in code, not in a prompt.
Every agent action is auditable
Each action the agent team takes is logged with a timestamp — visible to the therapist on the Activity page. Nothing happens off the record.
Encrypted, managed infrastructure
All traffic is encrypted in transit (TLS). Data lives in Convex's managed cloud, encrypted at rest — no hand-rolled servers.
No passwords to breach
Sign-in uses single-use emailed links that expire in 15 minutes. We never store a password.
Never used to train AI models
Your data is processed via API solely to serve you. It is not used to train models — ours or anyone else's.
What we’re building toward
Commitments, in the order we plan to deliver them. We won’t claim one until it’s independently verifiable.
HIPAA compliance + BAA
Full HIPAA alignment with a signed Business Associate Agreement for every practice.
Singapore PDPA alignment
Formal PDPA compliance for our home market, alongside international standards.
SOC 2 Type II
Independent audit of our security controls, renewed annually.
Session recording, done right
In-person recording and agent-joins-session only ship behind explicit patient consent flows and PHI-grade handling.
MFA + role-based access
Multi-factor authentication and granular roles for multi-therapist practices.
Self-service export & deletion
Practices can export or permanently delete every record they hold, on demand.
Questions, concerns, or something we missed?
Security questions get answered by a founder, not a form. Write to us and we’ll reply with specifics — including honest “not yet”s.