Your clients’ data never leaves Europe

All communication between your browser and our servers is encrypted using TLS. Session transcripts, clinical notes, and all client data are encrypted at rest on our European servers. Passwords are stored only as irreversible cryptographic hashes — never in readable form. Even if someone physically accessed the storage hardware, your client data could not be read.

Every account is protected by a strong password policy. Two-factor authentication (2FA) is available via authenticator app or email code, and is required for practice administrators. Sessions expire automatically after inactivity — an unattended screen cannot be used to access client data. You can remotely sign out from all devices at any time.

The platform enforces strict data isolation. Your practice’s client data is completely separated from every other practice on the platform — at the database level, not just the application level. No other practice can ever see your data. Within a group practice, individual therapists can mark their own case documents as private — inaccessible even to the practice administrator. This architectural separation is a fundamental GDPR requirement for processing special-category health data, and it is enforced at every layer of the system.

Access to clinical data is controlled by a role-based permission system. Each member of your practice is assigned a role (administrator, therapist, supervisor, or viewer) with exactly the permissions they need — and nothing more. Administrators can add and remove users and adjust roles at any time. Every permission change is recorded in an immutable, tamper-evident audit trail.

Every significant action — logins, failed login attempts, session recordings, document access, report downloads, and permission changes — is recorded in a tamper-evident audit log stored on EU servers. Records are retained for up to 12 months, giving you a complete and verifiable history of who accessed which client data and when. This directly supports your obligations under GDPR Art. 5(2) (accountability principle) and your documentation duties as a registered mental health professional.

This is the single most important privacy control in a mental health context. Before any session content is processed by an AI model, all client-identifying information — names, dates of birth, ID numbers, contact details, and other personal identifiers — is automatically detected and replaced with anonymised placeholders. The AI model receives and processes anonymised text only. The original identifying data never leaves your encrypted, tenant-isolated database record. It is never sent to any AI model — whether privately hosted or a third-party EU provider — in identifiable form. This means that even if an AI model were somehow compromised, it would contain no identifying information about any of your clients.

All servers are located in the European Union and operate under EU data protection law. AI language models are privately hosted on our own European infrastructure — session content is never sent to OpenAI, Google, Microsoft Azure, Amazon Web Services, or any other US-based cloud provider. Where we use third-party AI services, we work exclusively with EU-based providers that operate under the GDPR and are bound by signed Data Processing Agreements (DPAs). The operating system and all server software receive automatic security patches. Server access requires key-based SSH authentication only — password logins are disabled. A network firewall blocks all ports except those required for the service. Automated daily backups are stored at a separate off-site EU location and retained for 30 days.

This platform is built specifically around GDPR and the legal and ethical confidentiality obligations of psychotherapists, psychologists, and counsellors practising in Europe. Session content is treated as special-category health data under GDPR Art. 9 at every stage of processing. The entire architecture — data isolation, anonymisation before AI processing, EU-only infrastructure, immutable audit logs, and permanent deletion on finalisation — is designed to support your compliance with GDPR, the German Bundesdatenschutzgesetz (BDSG), and the confidentiality requirements of professional bodies such as the Bundespsychotherapeutenkammer (BPtK) and the Österreichischer Bundesverband für Psychotherapie (ÖBVP). We do not sell, share, analyse, or use your clients’ data for any purpose beyond providing the service you have subscribed to. We have no right to your clients’ clinical information — and we have built the system so that we are technically unable to access it.

If you believe you have found a security vulnerability in psychotherapy.talari.ai, please contact us at security@talari.ai. We investigate all reports and respond within 48 hours. Given the sensitivity of mental health data processed on this platform, we treat every security report with the highest priority.