Security

Privacy is the default, not a feature.

BilateralSync is designed to minimize the data collected during a therapy session. This page describes the controls that are enabled today.

Data collection

BilateralSync does not require any client-side account. We do not collect client names, email addresses, phone numbers or other personal identifiers. A session is identified by a short unguessable code that expires when the session ends.

Encryption

All traffic between the therapist, client and our servers is encrypted in transit using TLS. Real-time session state is exchanged over secure channels.

Session identifiers

Sessions use randomly generated codes with sufficient entropy that they cannot be guessed. Codes expire and are rotated for each new session.

Analytics

We use cookieless, anonymous analytics that do not track individuals across sites and do not require a cookie consent banner.

Sub-processors

BilateralSync is hosted on established cloud infrastructure with industry-standard operational security. A current list of sub-processors is available on request.

Responsible disclosure

If you believe you have found a security issue, please email security@bilateralsync.com. We aim to acknowledge reports within two business days.

See also our privacy policy and terms of service.