Security & trust

Built for the most sensitive data there is.

AllAlong handles the space between therapy sessions, so we hold ourselves to a simple rule: say exactly what we do today, and label everything else as a commitment. No borrowed badges.

AllAlong is in early access. Until our compliance certifications below are complete, we ask practices to use test or pseudonymous data — and the product is built so that’s the natural default.

What is true today

Not promises — how the product is built right now.

We never keep the session

Raw audio and transcripts are never stored. They pass through once to produce the plan and non-verbatim notes — then they're gone. We keep the therapist-approved output, not the conversation.

Patients are pseudonymous by design

AllAlong never asks for a patient's name. Records are kept against an alias and an internal ID chosen by the therapist.

Crisis safety is code, not AI

Every patient message is screened by deterministic logic before any AI sees it. Crisis responses — verified local crisis lines, immediate therapist alert — are hardcoded and cannot be improvised by a model.

The agent never authors clinical content

Patients only ever receive what their therapist wrote: the tools, the plan, the exercises. AI classifies and organises; it does not advise. This is enforced in code, not in a prompt.

Every agent action is auditable

Each action the agent team takes is logged with a timestamp — visible to the therapist on the Activity page. Nothing happens off the record.

Encrypted, managed infrastructure

All traffic is encrypted in transit (TLS). Data lives in Convex's managed cloud, encrypted at rest — no hand-rolled servers.

No passwords to breach

Sign-in uses single-use emailed links that expire in 15 minutes. We never store a password.

Never used to train AI models

Your data is processed via API solely to serve you. It is not used to train models — ours or anyone else's.

What we’re building toward

Commitments, in the order we plan to deliver them. We won’t claim one until it’s independently verifiable.

Planned

HIPAA compliance + BAA

Full HIPAA alignment with a signed Business Associate Agreement for every practice.

Planned

Singapore PDPA alignment

Formal PDPA compliance for our home market, alongside international standards.

Planned

SOC 2 Type II

Independent audit of our security controls, renewed annually.

Planned

Session recording, done right

In-person recording and agent-joins-session only ship behind explicit patient consent flows and PHI-grade handling.

Planned

MFA + role-based access

Multi-factor authentication and granular roles for multi-therapist practices.

Planned

Self-service export & deletion

Practices can export or permanently delete every record they hold, on demand.

Questions, concerns, or something we missed?

Security questions get answered by a founder, not a form. Write to us and we’ll reply with specifics — including honest “not yet”s.