Security & Privacy

Your data security and privacy are our top priorities. This page explains how we protect your information and maintain confidentiality.

Data Security Architecture

Row-Level Security (RLS)

Our database implements Row-Level Security (RLS) to ensure data isolation:

What is RLS?

• Database-level access control
• Users can only access their own data
• Automatic enforcement at the database layer
• No application-level bypasses possible

How it works:

• Each database query is automatically filtered by user ID
• Prevents unauthorized access even if application security fails
• Applies to all data operations (read, write, update, delete)

Benefits:

• Strong data isolation between users
• Protection against data leaks
• Compliance with privacy regulations

Role-Based Access Control (RBAC)

Different user roles have different access levels:

Practitioner Role:

• Access to all assessment tools
• Personal workspace and saved content
• Cannot access educator or admin features

Educator Role:

• All practitioner features
• Course management
• Student data (only for their own courses)
• Cannot access other educators' courses

Student Role:

• Learning-focused tools
• Assignment submissions
• Progress tracking
• Cannot access other students' work

Admin Role:

• Platform management
• User management (aggregate data only)
• System configuration
• Cannot access individual case data

Data Encryption

In Transit:

• All data transmitted using TLS 1.3
• End-to-end encryption for all connections
• No unencrypted data transmission

At Rest:

• Database encryption at rest
• Secure file storage
• Encrypted backups

OpenAI Integration

How We Use OpenAI

The platform uses OpenAI's API for AI-powered features:

Data Processing:

• Your inputs are sent to OpenAI for processing
• OpenAI processes requests and returns suggestions
• No long-term storage by OpenAI (per their API policy)

What OpenAI Receives:

• De-identified case information you input
• Tool-specific prompts
• No personally identifiable information (if you follow guidelines)

What OpenAI Does NOT Receive:

• Your real name or user ID
• Client identifying information
• Database records
• Historical case data

OpenAI Data Policy

According to OpenAI's API policy:

• API data is not used to train models
• Data is not retained beyond 30 days
• Zero data retention option available for Enterprise

Our Commitment:

• We only send de-identified information
• We do not share user metadata
• We maintain separate audit logs

What We Store

User Account Data

Stored:

• Email address
• Name
• Role (practitioner, educator, student)
• Subscription status
• Login timestamps

NOT Stored:

• Passwords in plain text (hashed only)
• Social security numbers
• Client identifying information
• Payment card details (handled by Stripe)

Case and Assessment Data

Stored:

• De-identified case inputs
• Assessment outputs
• Tool usage timestamps
• Saved work and drafts

NOT Stored:

• Client real names (unless user inputs them against guidelines)
• Addresses or specific locations
• Protected Health Information (PHI)
• Social security numbers

Usage Analytics

Collected:

• Tool usage patterns (aggregate)
• Session duration
• Feature utilization
• Error logs (technical data only)

NOT Collected:

• Case content for analytics
• Identifying client information
• User browsing outside the platform

Privacy Protections

No PHI Storage Policy

Protected Health Information (PHI):

• Platform is NOT designed for PHI storage
• Users must de-identify all information
• No HIPAA compliance claims made
• Use pseudonyms and generic identifiers

Your Responsibility:

• Remove identifying information before input
• Use generic terms (e.g., "Client A", "JD")
• Avoid specific locations, dates of birth
• Follow professional documentation standards

Data Minimization

We practice data minimization:

• Collect only necessary information
• No unnecessary tracking
• Regular data cleanup
• User-controlled data deletion

User Control

You maintain control over your data:

Data Access:

• View all your stored data
• Download your information
• Review usage history

Data Deletion:

• Delete individual assessments
• Request account deletion
• 90-day grace period for recovery
• Permanent deletion after 90 days

Compliance & Standards

GDPR Compliance

For EU users:

• Right to access your data
• Right to data portability
• Right to be forgotten
• Right to rectification
• Data processing agreements available

Data Processing Location

• Primary servers in secure data centers
• EU data residency options available
• Data Transfer agreements in place
• Compliant with international data transfer rules

Professional Standards

Social Work Ethics:

• Aligns with NASW Code of Ethics
• Respects confidentiality principles
• Supports informed consent practices
• Maintains professional boundaries

Security Best Practices

For Users

Protect Your Account:

• Use strong, unique passwords
• Enable two-factor authentication
• Don't share login credentials
• Log out on shared devices

Protect Client Information:

• Never input real names
• Use pseudonyms consistently
• Remove identifying details
• Follow agency policies

Data Handling:

• Export and store securely
• Follow local regulations
• Maintain separate documentation
• Backup critical work

What We Do

System Security:

• Regular security audits
• Penetration testing
• Vulnerability scanning
• Security patches applied promptly

Access Controls:

• Limited staff access
• Audit logging
• Security training
• Incident response plans

Monitoring:

• 24/7 system monitoring
• Intrusion detection
• Anomaly detection
• Automated alerts

Data Retention

Active Accounts

• Assessment data retained indefinitely (while account active)
• Usage logs retained for 2 years
• Backup data retained for 90 days

Canceled Accounts

• Data retained for 90 days after cancellation
• User can reactivate and restore data within 90 days
• Permanent deletion after 90 days
• Backups purged after 180 days

Data Deletion Requests

To request data deletion:

1. Go to Settings → Privacy
2. Click "Delete My Data"
3. Confirm deletion request
4. Data deleted within 30 days

Or contact support@aiandsocialwork.com

Incident Response

Security Incidents

In case of a security incident:

• Immediate investigation initiated
• Affected users notified within 72 hours
• Detailed incident report provided
• Remediation steps communicated

Reporting Security Issues

If you discover a security vulnerability:

• Email: security@aiandsocialwork.com
• Include detailed description
• Do not publicly disclose until resolved
• We respond within 48 hours

Third-Party Services

Integrated Services

Clerk (Authentication):

• Handles user authentication
• Secure password management
• SOC 2 Type II certified

Stripe (Payments):

• PCI DSS compliant
• Secure payment processing
• No card data stored on our servers

Supabase (Database):

• PostgreSQL with RLS
• SOC 2 Type II certified
• Regular security audits

OpenAI (AI Processing):

• API-only usage
• No long-term data retention
• Enterprise-grade security

Data Sharing

We do NOT share your data with:

• Marketing companies
• Data brokers
• Third-party advertisers
• Unrelated service providers

We only share data with:

• Essential service providers (listed above)
• As required by law
• With your explicit consent

Transparency

Privacy Policy

Our full Privacy Policy includes:

• Detailed data collection practices
• Legal basis for processing
• International data transfers
• Contact information for privacy concerns

View at: Privacy Policy

Terms of Service

Our Terms of Service cover:

• Acceptable use policies
• User responsibilities
• Service limitations
• Legal agreements

View at: Terms of Service

Updates

We notify users of:

• Privacy policy changes
• Security updates
• Feature changes affecting privacy
• Data handling modifications

FAQ

Is my data encrypted?

Yes, all data is encrypted in transit (TLS 1.3) and at rest in the database.

Can other users see my assessments?

No, RLS ensures complete data isolation. Only you can access your data.

Does OpenAI store my inputs?

According to OpenAI's API policy, data is not stored long-term or used for training.

What if I accidentally input client names?

Delete or edit the assessment immediately. Consider if agency breach reporting is needed.

Can I export all my data?

Yes, go to Settings → Data Export to download all your information.

Is the platform HIPAA compliant?

The platform is not designed for PHI storage. Users must de-identify all information.

What happens if there's a data breach?

We will notify affected users within 72 hours and provide detailed incident information.

Can I request data deletion?

Yes, you can delete individual items or request complete account deletion.

Contact

For privacy or security questions:

• Email: privacy@aiandsocialwork.com
• Security Issues: security@aiandsocialwork.com
• Data Requests: support@aiandsocialwork.com

Related Topics:

• Account & Billing
• Troubleshooting
• Privacy Policy