Certifications and Safeguards: Blueprint is HIPAA compliant and SOC 2 Type 2 Certified, indicating our ability to set and meet strict security standards verified by an independent auditor.

Your BAA: Our standard BAA is agreed to as part of our terms of service when you sign up for Blueprint. For a signed version of your BAA with Blueprint click here.

Secure transmission and storage of data: All data is encrypted during transmission (HTTPS, SFTP) and at rest (256-bit server disk-level encryption). All data is stored in encrypted databases and data storage repositories located in the United States.

Recordings are Auto-Deleted: Once you record a session on Blueprint, it is automatically deleted and removed from our servers permanently upon transcription.

Control over your data: Upon conclusion of a recording, Blueprint produces three primary clinical artifacts: (i) transcription; (ii) session summary; (iii) clinical note. Users can choose to retain or delete these artifacts at any time. Deleted artifacts are permanently removed and irrecoverable. Admins can also choose to “auto-delete” transcripts and session summaries as desired (though certain features, such as Magic Edit, may be limited as a result)

All data is encrypted during transmission (HTTPS, SFTP) and at rest (256-bit server disk-level encryption).

All enriched data is stored in encrypted relational databases (Amazon Web Services RDS) and all raw session data (captured audio and text transcriptions) is stored in encrypted blob storage (Amazon Web Services S3).

Access to the AWS infrastructure is limited to members of technical staff who require it for their job function. Direct access to the relational databases requires approved access to our Virtual Private Network (VPN).

Access to administrative tools (such as clinical portal and internal reporting) is limited to members of staff who require it for their job function.

We are SOC 2 Type 2 certified by an independent auditor (report available upon request) and we have implemented administrative, technical, and physical safeguards to protect data per the HIPAA Security Rule.

We have BAAs in place with our subprocessors that enable our AI-powered services.

Client demographic and data contact information is entered by clinicians either directly using our web-based portal, or via an integration with the customer’s EHR.

Clinicians assign assessments, worksheets, and interventions to clients either interactively or via rule-based workflows.

Blueprint sends text messages, emails, and/or push notifications (based on client preferences) with reminders to complete assessments.

Assessment, worksheet, and intervention data is stored in relational databases.

The transactional production database is replicated to read-only replicas for integration into internal data warehousing tools.

At customer request, completed assessment data is extracted daily into CSV files and placed into an SFTP server for customers to self-serve download. Access to the SFTP is provisioned by Blueprint. Customers create their own public/private key pair, provide us the public key only, and we create SFTP users with the public key that has access only to the specific root folder for the customer.

At customer request, and if the customer’s EHR is capable, individual completed assessments can be delivered in near real time via a secure webhook. Each webhook request is signed with an HMAC.

Client demographic and data contact information is entered by clinicians either directly using our web-based portal, or via an integration with the customer’s EHR.

Clinicians initiate a session recording via their web browser by granting our web portal access to the device microphone.

Audio files are securely transmitted from the browser to encrypted blob storage.

Audio files are securely transmitted to Deepgram to create a transcript. Audio files are deleted by Blueprint immediately after the transcript is returned

Transcripts are stored as text files in encrypted blob storage.

Transcript text and other metadata (such as our proprietary prompts) are transmitted to OpenAI to generate clinical notes, summaries, treatment plans, and other clinical artifacts.

Clinical artifacts are then stored in the encrypted relational databases.