STEADYBack to overview

Privacy, BAA, AI, and vendor posture

Trust Center

A review-ready overview for therapists evaluating Steady. This page explains how the product is designed for HIPAA-conscious workflows, BAA-supported operations, clinician-reviewed AI drafting, and minimum-necessary operational handling.

This is not legal advice and it is not a replacement for signed agreements, counsel-approved policies, or final security/compliance review.

BAA-supported workflow
Clinician-reviewed AI
No authenticated PHI tracking by default

Legal packet

BAA-supported commercial workflow

Steady is designed around HIPAA-conscious workflows and a BAA-supported clinician agreement flow for paid clinical use.

  • The Business Associate Agreement, Terms of Service, Privacy Policy, beta agreement, and AI/transcription disclosure must be counsel-reviewed before contractual reliance.
  • Agreement acceptance records should remain versioned and immutable after signature.
  • This trust center explains posture and workflow; it is not legal advice or a substitute for signed legal documents.

AI and transcription

Clinician-reviewed AI drafting

AI and transcription features are positioned as draft support for clinicians, not autonomous clinical decision-making.

  • Recording and transcription require appropriate consent posture before clinical use.
  • AI-generated notes remain drafts until a clinician reviews, edits, and signs them.
  • AI prompts, transcripts, and clinical note content must not be logged into public analytics, support notes, or unaudited operational channels.

Tracking boundary

Authenticated tracking rule

Authenticated PHI surfaces should not load analytics, advertising pixels, session replay, heatmaps, or third-party tracking by default.

  • Public marketing analytics may run only on unauthenticated pages that do not collect or infer PHI.
  • Clinician dashboard, portal, telehealth, booking intake, billing, notes, documents, agreements, and messaging surfaces require explicit BAA-safe review before any tracking expansion.
  • Final launch claims about tracking require a dated verification pass against the deployed app.

Vendors

Subprocessor register

The vendor list is maintained as an operational register with owner, review cadence, data handled, BAA status, and launch decision.

  • Required launch categories include infrastructure, payments, clearinghouse, email, SMS, monitoring, AI/transcription, status, and support tooling.
  • Security/compliance owner owns review and update process.
  • Review cadence: Before public launch and at least quarterly after launch.

Incident response

Escalation without PHI exposure

Security, privacy, billing, clinical notes, portal, document, AI/transcription, and integration incidents require minimum-necessary escalation.

  • Operational notes should use IDs, counts, affected surfaces, status, and owners rather than client names, clinical content, raw payloads, or secrets.
  • Potential privacy or security incidents should be escalated to the security/compliance owner and counsel/privacy review when appropriate.
  • Public status updates should describe affected workflow and workaround without exposing PHI or sensitive implementation detail.

Data lifecycle

Retention, export, and deletion posture

Retention, chart export, account closure, and deletion workflows must be defined before broad launch claims.

  • Clinical records, billing records, signed agreements, and audit records have different retention and export constraints.
  • Export and deletion workflows must enforce server-side access control and audit sensitive actions.
  • Public content should describe directional posture until final retention and export policies are approved.

Review status

Security/compliance review required

This page is a review-ready overview, not final approval for public-launch claims.

  • STE-17 identified meaningful controls and remaining audit gaps that must be resolved or explicitly accepted before release readiness.
  • Final trust content must match actual product behavior, configured vendors, tracking posture, and incident-response process.
  • Any legal, HIPAA, AI, transcription, vendor, or incident-response claim should be reviewed before publication.

Contact

Support and security contact

Evaluators and beta clinicians need a clear route for trust, privacy, and security questions.

  • Use hello@steadymentalhealth.com for trust, privacy, BAA, AI/transcription, and security-review questions until a dedicated security contact is published.
  • Do not send PHI, clinical content, patient names, form answers, transcripts, or secrets through public contact channels.
  • Sensitive operational follow-up should move into the approved support or incident process.