Get ABA Assessments handles sensitive clinical information and is designed with privacy, access control, and data integrity as core requirements. The following describes how client data, uploaded files, and generated documents are protected throughout the platform.
User Authentication
- Accounts are secured with email and password authentication
- Sessions are managed server-side using secure tokens (Laravel Sanctum)
- Session validity is enforced throughout active use — expired sessions redirect to the login screen automatically
Data Storage
All assessment data — answers, uploaded files, baseline graphs, and generated reports — is stored on AWS S3 in private, access-controlled buckets.
- No file or document stored in S3 is ever accessible via a public URL
- All access is controlled at the bucket level; direct object access is blocked for all external requests
Document and File Access
All downloads — reports, uploaded images, clinic logos — are served through AWS CloudFront using signed URLs.
- Each signed URL is unique, generated on demand for the authenticated user
- URLs expire after a short period — an expired link cannot be reused
- A new valid link is generated each time the user clicks a download button
This ensures that even if a URL were inadvertently shared or captured, it would not grant access to the document after expiry.
AI Data Handling — PII/PHI Protection
Assessment answers are sent to OpenAI GPT-4 for clinical narrative generation. To protect client privacy:
- Personally identifiable information (PII) and protected health information (PHI) — including client names, dates of birth, email addresses, and insurance identifiers — are not included verbatim in AI prompts
- Prompts contain de-identified clinical data only (e.g., behavioral descriptions, frequency data, domain-level answers)
- AI-generated responses are cached in the platform’s own database for seven days to reduce redundant API calls; cached responses do not contain raw patient identifiers
Important: The platform is designed with a HIPAA-aware data pipeline. Users are responsible for ensuring their overall use of the platform complies with applicable privacy laws and organizational data handling policies.
Answer Auto-Save and Data Integrity
- Answers are saved to the server automatically when submitted — no manual save is required
- Progress is stored server-side; clearing browser data does not affect saved answers
- A soft-delete policy is applied to all records — no assessment data is permanently deleted. Cancelled or removed items are archived and remain available for audit purposes
Audit Trail
The platform maintains a complete record of all significant actions:
- Assessment creation and status changes
- Individual answer submissions
- File uploads
- Report generation requests and completions
- Email notifications sent
Records are preserved indefinitely using soft deletes, supporting compliance review and dispute resolution.
Payment Security
- All payments are processed through Stripe and WooCommerce
- The platform does not store credit card numbers or payment credentials
- Payment data flows directly between the user’s browser and the payment processor
Data Encryption
All data in transit between the user’s browser and the platform is encrypted via HTTPS/TLS. Data stored in AWS S3 is encrypted at rest using AWS-managed encryption.
Account Responsibility
The account holder is responsible for:
- Controlling who has access to the account credentials
- Ensuring all team members using the platform are authorized to handle clinical data
- Reviewing all AI-generated content before it is used in any clinical or administrative context
- Ensuring compliance with applicable privacy regulations (HIPAA, state-level requirements) within their organization
