SnapNotes was built by a practicing clinician who understands what's actually at stake. Your clients' data is not a product. It is protected, encrypted, and entirely under your control.
Business Associate Agreement (BAA) →When you delete a session, it is permanently and immediately removed from our servers. No backups, no retention windows, no exceptions.
SnapNotes operates as your Business Associate under HIPAA. We execute a formal BAA with every subscriber and maintain policies aligned with 45 C.F.R. Parts 160 and 164.
All data is encrypted in transit using TLS and encrypted at rest using AES-256. Your transcriptions are protected from the moment they leave your device.
No SnapNotes employee or contractor can read the contents of your sessions. Your client data is yours alone — full stop.
Multi-factor authentication, session management, and secure credential handling protect access to your account at every layer.
SnapNotes uses AI models under strict data processing agreements. Session content is never used to train external models or shared with third-party AI providers beyond what's required to generate your note.
SnapNotes runs in a dedicated, isolated environment. Strict resource limits and file handling policies prevent overloads and protect stability.
Internal system access is governed by least-privilege principles. Staff only have access to what is operationally necessary — never to PHI.
All API endpoints are protected with authentication and authorization checks. Data exchange is validated and logged at the application layer.
We maintain detailed operational logs — not session content — to detect anomalous behavior, support incident response, and ensure system integrity.
Any subprocessor that handles PHI on our behalf is contractually bound to the same security standards and HIPAA obligations we hold ourselves to.
In the unlikely event of a security incident, we will notify affected covered entities within 30 days of discovery, consistent with our BAA and 45 C.F.R. § 164.410.
Your trust is the foundation of everything we do. We are dedicated to handling your data with the care it deserves — not just because HIPAA requires it, but because your clients deserve it.
For full details, please review our Privacy Policy and Terms of Use. If you have specific questions about our security posture or want to discuss enterprise arrangements, reach out directly.