Book Demo

HIPAA-Compliant Data Policy

Your Data.Your Control.

mirro is built for behavioral health, ABA, and telehealth organizations that can’t afford ambiguity. Your PHI stays encrypted, under your control, and is never used to train our models without your explicit permission

  • Models are pre-trained & frozen before deployment.
  • Your data never enters training pipelines by default.
  • Fully encrypted, HIPAA-compliant cloud infrastructure.
Contact Security Team

How mirro Uses Your Data

Our customers asked very specifically: “Is our ABA / behavioral health data training your models?” The short answer is no — unless you explicitly ask us to and opt in with a signed agreement

Ownership

Your Data Stays Yours
All audio, video, transcripts, notes, and AI-generated insights belong to your organization. mirro does not sell, rent, or share your data with third parties.
  • Your PHI is never pooled with other customers.
  • Data is only used to serve your instance.
  • Data export & deletion are available.

Training

No Default Model Training
Production models are pre-trained and frozen before deployment. Your data does not flow into our training pipelines by default.
  • No "silent" training on your sessions.
  • No cross-customer learning.
  • No vendor reuse of your PHI.

Opt-in

Customer-Initiated Fine-Tuning
If you want Mirro tuned specifically to your workflows, we’ll only proceed with your formal approval.
  • Written opt-in from your organization.
  • BAA + Data Processing Agreement in place.
  • Strict de-identification before training.
  • Plain language promise:
mirro will never use your ABA or behavioral health data to train AI models unless you ask us to and sign off on the process.

Data Storage, Encryption & Infrastructure

Customers often ask: “Where exactly is our data, and how is it secured?” Here’s how Mirro stores and protects your recordings, transcripts, and analysis.

HIPAA-Compliant Cloud Platform

mirro runs on a HIPAA-compliant cloud infrastructure that provides:
  • Physical & network security controls.
  • Firewalling, intrusion detection & monitoring.
  • Redundancy and secure backups.

Encrypted In Transit & At Rest

All PHI moves and lives within a fully encrypted environment.
  • TLS 1.2+ for data in transit.
  • AES-256 for data at rest.
  • Managed encryption keys with strict access controls.
  • Session recordings & analysis:
If you opt to store playback, those files and the associated AI insights are stored encrypted. Access is limited to authorized users in your organization, and you control retention and deletion.

Session Data, Playback & User Responsibilities

AI is powerful — but it doesn’t replace clinical judgment. mirro is designed to support your staff, not encourage risky shortcuts.

 

Access

Who Can See What
Access to session data is fully controlled by your organization.
  • Role-based access control (RBAC).
  • Audit logs for data access events.
  • Mirro staff access only with your explicit authorization.

Responsibility

AI Assistance, Human Judgment
AI Assistance, Human Judgment
  • AI augments documentation; it doesn't replace clinical decision-making.
  • Your internal policies still govern what can be shared or documented.
  • We provide guidance on best practices for Human-in-the-loop workflows.

Compliance, Auditing & Frequently Asked Questions

For many organizations, the key question is simple: “Does mirro increase our risk?” Our policy is designed so the answer is no

Compliance

HIPAA & Security Controls
Mirro maintains safeguards consistent with HIPAA requirements:
  • Access control & least-privilege permissions.
  • Audit logging for key security events.
  • Breach notification processes and incident response plans.

HIPAA-Aligned Policies

Encrypted PHI

RBAC + Audit Logs

No — unless you explicitly opt in through a formal agreement. By default, your data is not used to train or improve Mirro's models.

In a HIPAA-compliant cloud environment with encryption at rest and in transit. We do not move your PHI into non-compliant third-party tools.

Yes. mirro supports data deletion upon request, subject to any legal or contractual retention requirements.
 

Only with your explicit authorization for support or troubleshooting. All such access is logged and time-bound.
 

mirro is designed to support your compliance posture, not weaken it — by keeping PHI in encrypted, controlled environments and avoiding default training on your data.
 

Questions from your security or compliance team?

We’re happy to walk through architecture diagrams, data flows, and technical safeguards.
 
Contact Security Team
Shopping Basket