Security & compliance

Where we stand.

Three commitments we will not negotiate on. They go on every contract and every sales call, and they're the reason a clinician-led organization can trust us with its data.

Privacy

Built for HIPAA-compliant deployment.

Encryption at rest and in transit, access logging, role-based controls, and breach-response procedures are in place before any client data touches a Verbena system. A BAA is signed before any engagement that involves protected health information. We're transparent about the path: an independent third-party HIPAA security review is on the roadmap before broader PHI processing, and SOC 2 readiness is targeted within our first nine months. We say plainly where we are on that path in every sales conversation.

AI position

AI never sits between a client and their care.

We do not build AI that triages, diagnoses, or makes judgments about a client's care plan. That's written into every BAA. Inside Verbena, AI is back-office only. When workflow data touches AI systems, member orgs' clients are informed; we provide template disclosure language.

Data handling

Customer data never trains a foundation model.

Your data is yours. Not ours, not any third party's. We use AI tools that contractually exclude customer data from training. This is auditable and written into every BAA.

In practice

What this looks like operationally.

  • Business Associate Agreements. We sign a BAA before any engagement that involves protected health information, and our subprocessors are covered by BAAs in turn.
  • Least-privilege access. Role-based controls mean people see only what their job requires, and every access is logged.
  • Encryption everywhere. Data is encrypted in transit and at rest across the systems we build and operate.
  • Back-office-only AI. AI assists with operational work: scheduling, summarizing internal documents, drafting reminders for staff. It does not make or influence clinical decisions.
  • Breach response. Documented procedures for detection, notification, and remediation, aligned with HIPAA breach-notification requirements.

What we're still building.

In the spirit of naming what we don't yet have:

  • Independent security audit. A third-party HIPAA security review before any client data is processed.
  • SOC 2. A SOC 2 readiness assessment is targeted within the first nine months of operations.

Regulatory note: depending on services and funding, behavioral health organizations may also be subject to 42 CFR Part 2 protections for substance-use-disorder records. We design with Part 2 in mind and scope it explicitly during the Readiness Engagement.

How to read these claims.

We've taken a hard line against overselling on compliance. "Built for HIPAA-compliant deployment" means our architecture, contracts, and engineering practices are designed around HIPAA from the start, and a BAA is in place before any protected health information is processed. It is not a substitute for the independent third-party HIPAA security review noted above, which we will complete before broader PHI processing and publish on this page. If your IT or compliance team has specific questions about how PHI flows through our systems, please reach out and we'll walk through it.

Ask us a security question