At Grow Therapy, protecting your data and maintaining your trust is foundational to how we operate. This page provides an overview of the security, privacy, and compliance practices we maintain. For complete details on how we collect and use personal information, see our Privacy Notice.
Security Practices
We implement technical and organizational measures designed to protect your information from unauthorized access, loss, or misuse.
- Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
- Access Controls: We enforce role-based access, multi-factor authentication, and least-privilege principles for employees who access client data.
- Infrastructure: Our services are hosted on Amazon Web Services (AWS) infrastructure in the United States. AWS maintains SOC 2 Type II certification for its data centers.
- Testing: We conduct regular vulnerability assessments and engage third-party firms for annual penetration testing.
- Monitoring: We maintain logging and monitoring systems to detect and respond to suspicious activity.
- Training: All employees, providers, and contractors receive HIPAA privacy and security training within 90 days of onboarding and annually thereafter.
Data Protection
- Minimization: We collect only the data necessary to provide our services.
- Retention: We retain personal data only as long as needed for the purposes described in our Privacy Notice or as required by law.
- Subprocessors: We carefully vet third-party vendors who process data on our behalf, and require our AI processors to have zero data retention and no external model training with client health data.
Compliance
We maintain the following certifications and compliance commitments:
| Certification / Framework | Details |
| HIPAA Data Sharing | Compliance with Health Insurance Portability and Accountability Act includes Business Associate Agreements (BAAs) and Data Processing Agreements (DPAs) are executed with all third parties who process Protected Health Information (PHI). Administrative, physical, and technical safeguards are in place. |
| Regular HIPAA Assessments | Regular HIPAA Security and Privacy Risk Assessment conducted by a qualified third-party assessor. Results reviewed by company leadership and remediation tracked to closure. |
Subprocessors
As described in our Privacy Notice, when using our products and services, your data may be shared with third-party service providers, including the following vendors. This list is not exhaustive and is subject to change at our discretion as we continue to evaluate our own needs, and the offerings of these companies.
| Company | Purpose | Location |
| Amazon Web Services | Cloud hosting, storage, and AI | USA |
| Anthropic | LLM and other AI features | USA |
| Atlassian | Tasks and ticketing | USA |
| Customer.io | Communications | USA |
| Datadog | Analytics | USA |
| Google Cloud and Workspace | Cloud hosting, storage, and AI | USA |
| Hex | Analytics | USA |
| Hubspot | CRM and Marketing | USA |
| Intercom | User support | USA |
| Looker | Analytics | USA |
| OpenAI | LLM and other AI features | USA |
| Snowflake | Analytics | USA |
| Stripe | Financial services | USA |
| Twilio | Communications | USA |