Security, privacy, and the paperwork behind them.

Certifications. SOC 2 Type II (audited annually), HIPAA-aligned with BAA, GDPR & CCPA compliant. Reports available under NDA.

Encryption. AES-256 at rest, TLS 1.3 in transit. Customer-managed encryption keys available on Enterprise tier.

Access. SAML 2.0 / OIDC SSO, SCIM provisioning, role-based access control, audit logging exported via SIEM webhook.

Operations. 99.99% uptime SLA, multi-region failover, quarterly penetration testing, 24/7 SOC monitoring.

Data residency. US (default) and EU options. No model training on customer conversations. No data sale, ever.

Zero individual identification to employers. Organizational dashboards show only aggregate, de-identified cohort metrics with a minimum cell size of 10.

Therapeutic confidentiality. Conversations with clinicians and Henry AI are protected. Employers cannot request transcripts.

Your data, your control. Employees can export and delete their data at any time. Retention windows are configurable.

Regulators. GDPR, CCPA, PIPEDA. DPA available on request.

Master Services Agreement. Standard MSA available for signature during procurement. Redlines welcome.

Business Associate Agreement. Executed for any HIPAA-covered entity prior to go-live.

Acceptable Use. Thrive MT is wellbeing support, not a substitute for emergency care. The 988 crisis line is surfaced inside every portal 24/7.

For a copy of any document, email legal@omni.health.