Compliance
Tendly is built from the ground up for HIPAA compliance. Every architectural decision, every third-party vendor, and every internal process is evaluated against HIPAA requirements.
If you're a covered entity — a therapist, counselor, psychologist, or other healthcare provider — Tendly acts as your Business Associate and shares responsibility for protecting your clients' health information.
Every Tendly account comes with a signed BAA — automatically, with no paperwork required. As your Business Associate, we are contractually bound to safeguard your clients' Protected Health Information (PHI) and to use it only for the purposes described in the agreement.
All PHI stored in Tendly is encrypted using AES-256. All data transmitted between your browser and our servers uses TLS 1.3. Backups are also encrypted and stored in geographically separate, secure data centers.
Role-based permissions ensure staff only access what they need. Every read, write, and export of PHI is logged with a full audit trail — including user, timestamp, and action taken. Audit logs are immutable and retained for a minimum of six years.
All Tendly employees with access to PHI undergo HIPAA training at onboarding and annually thereafter. We maintain documented policies for data handling, breach response, and workforce management that are reviewed and updated regularly.
Every Tendly account is covered by our Business Associate Agreement. Review the full agreement below, or contact us with any questions about HIPAA compliance.
Read the Business Associate AgreementQuestions about HIPAA compliance? Email us at privacy@tendly.health · Notice of Privacy Practices