Security and Privacy Values
At Nudge AI, security and privacy aren't just compliance requirements – they are fundamental values woven into the fabric of our company culture. As an AI service provider in behavioral health, we understand that we are entrusted with our patients’ most sensitive and personal information. This trust is sacred to us, and we honor it by implementing rigorous security measures and privacy protocols. Our commitment ensures that behavioral health professionals and their patients can focus on what matters most – the journey toward healing and growth.
HIPAA Compliance
Our platform is engineered to meet or exceed all HIPAA Security, Privacy, and Breach Notification Rules requirements:
Administrative Safeguards: Documented policies and procedures for security management, workforce security, information access management, security awareness training, and incident response
Physical Safeguards: Controls to protect our physical infrastructure, workstations, and devices that may contain PHI
Technical Safeguards: Access controls, audit controls, integrity controls, and transmission security measures
We maintain comprehensive audit logs of all PHI access and modifications, enabling detailed accounting of disclosures when required
Our breach notification process follows HIPAA requirements, including:
Timely notification procedures
Documentation of breach assessment
Required reporting to covered entities
We conduct regular HIPAA compliance assessments, including:
Annual risk assessments
Documentation review and updates
Data handling practices include:
Minimum necessary access to PHI
Secure disposal of PHI following retention requirements
Encryption of PHI at rest and in transit
Secure backup and disaster recovery procedures
We provide HIPAA-compliant Business Associate Agreements (BAAs) that clearly outline:
Permitted uses and disclosures of PHI
Safeguard requirements
Breach notification obligations
Termination provisions
Regular employee HIPAA training includes:
Privacy and security requirements
Breach identification and reporting
Employees and Access
We use role-based access and a “Minimum necessary access to PHI” principle as mentioned above. Any form of sensitive data is only accessible to those employees with privileged access.
All Nudge AI contractors and employees undergo comprehensive background checks before joining our team, following industry best practices and local regulations.
We require signed Confidentiality Agreements and NDAs from everyone with access to sensitive or internal information.
Our security-first culture is reinforced through regular employee training and testing on current and emerging security threats.
Security Architecture
Nudge’s security model ensures in the event of a breach that if any data were to leak, that the individual(s) associated with the data cannot be traced. The data effectively sits as an anonymized blob of text.
Nudge AI is built on Google Cloud Platform (GCP) as its secure cloud platform.
Audio captured during a session is automatically deleted from our GCP servers within 7 days.
Nudge AI has signed BAAs with GCP and all third-party service providers, including: Deepgram and AssemblyAI, and various AI model providers including, OpenAI and Anthropic.
BAAs ensure PII/PHI data is handled with HIPAA compliance measures on third-party providers.
Nudge AI stores only redacted transcripts of data and documentation on its servers on GCP. All PII and PHI are redacted before Nudge stores data.
Databases
Data on Nudge AI databases are encrypted
Nudge isolates data on a per enterprise, clinician, and per patient basis, ensuring data cannot be comingled between patients
All data is stored on GCP in a datacenter in the USA
Network Architecture
Any data, including audio bytes, are transported over TLS 1.3, an encrypted network protocol to transport data.
Nudge AI’s servers run in their own VPC on GCP, inaccessible to external network traffic.
Security Testing
All developers at Nudge AI are required to go through security training and all code developed at Nudge AI is reviewed for security vulnerabilities.
Regular security assessments include:
Infrastructure vulnerability scanning
Cloud configuration audits
API security testing
Incident Response
Our incident response program is designed to quickly detect, respond to, and mitigate security incidents while maintaining complete transparency with our customers.
Our dedicated incident response team operates with defined procedures for:
Rapid incident detection and classification
Systematic containment strategies
Evidence preservation and analysis
Root cause investigation
Service restoration and hardening
Incident severity levels are clearly defined and determine response procedures:
Critical: Immediate response with 1-hour SLA, potential data breach
High: 4-hour response SLA, service availability issues
Medium: 24-hour response SLA, limited security impact
Low: 24-48-hour response SLA, minimal security impact
Customer Communication Protocol:
Initial notification within 1 hour for critical incidents
Regular status updates throughout incident resolution
Detailed post-incident reports including root cause and preventive measures
Direct communication channel with our security team during incidents
Post-Incident Procedures:
Comprehensive incident documentation
Root cause analysis reports
Implementation of preventive measures
Updates to security policies and procedures based on lessons learned
Regular testing of incident response procedures through tabletop exercises
Report Vulnerabilities
Security vulnerabilities can be reported to contact@getnudgeai.com.
Security and Privacy Values
At Nudge AI, security and privacy aren't just compliance requirements – they are fundamental values woven into the fabric of our company culture. As an AI service provider in behavioral health, we understand that we are entrusted with our patients’ most sensitive and personal information. This trust is sacred to us, and we honor it by implementing rigorous security measures and privacy protocols. Our commitment ensures that behavioral health professionals and their patients can focus on what matters most – the journey toward healing and growth.
HIPAA Compliance
Our platform is engineered to meet or exceed all HIPAA Security, Privacy, and Breach Notification Rules requirements:
Administrative Safeguards: Documented policies and procedures for security management, workforce security, information access management, security awareness training, and incident response
Physical Safeguards: Controls to protect our physical infrastructure, workstations, and devices that may contain PHI
Technical Safeguards: Access controls, audit controls, integrity controls, and transmission security measures
We maintain comprehensive audit logs of all PHI access and modifications, enabling detailed accounting of disclosures when required
Our breach notification process follows HIPAA requirements, including:
Timely notification procedures
Documentation of breach assessment
Required reporting to covered entities
We conduct regular HIPAA compliance assessments, including:
Annual risk assessments
Documentation review and updates
Data handling practices include:
Minimum necessary access to PHI
Secure disposal of PHI following retention requirements
Encryption of PHI at rest and in transit
Secure backup and disaster recovery procedures
We provide HIPAA-compliant Business Associate Agreements (BAAs) that clearly outline:
Permitted uses and disclosures of PHI
Safeguard requirements
Breach notification obligations
Termination provisions
Regular employee HIPAA training includes:
Privacy and security requirements
Breach identification and reporting
Employees and Access
We use role-based access and a “Minimum necessary access to PHI” principle as mentioned above. Any form of sensitive data is only accessible to those employees with privileged access.
All Nudge AI contractors and employees undergo comprehensive background checks before joining our team, following industry best practices and local regulations.
We require signed Confidentiality Agreements and NDAs from everyone with access to sensitive or internal information.
Our security-first culture is reinforced through regular employee training and testing on current and emerging security threats.
Security Architecture
Nudge’s security model ensures in the event of a breach that if any data were to leak, that the individual(s) associated with the data cannot be traced. The data effectively sits as an anonymized blob of text.
Nudge AI is built on Google Cloud Platform (GCP) as its secure cloud platform.
Audio captured during a session is automatically deleted from our GCP servers within 7 days.
Nudge AI has signed BAAs with GCP and all third-party service providers, including: Deepgram and AssemblyAI, and various AI model providers including, OpenAI and Anthropic.
BAAs ensure PII/PHI data is handled with HIPAA compliance measures on third-party providers.
Nudge AI stores only redacted transcripts of data and documentation on its servers on GCP. All PII and PHI are redacted before Nudge stores data.
Databases
Data on Nudge AI databases are encrypted
Nudge isolates data on a per enterprise, clinician, and per patient basis, ensuring data cannot be comingled between patients
All data is stored on GCP in a datacenter in the USA
Network Architecture
Any data, including audio bytes, are transported over TLS 1.3, an encrypted network protocol to transport data.
Nudge AI’s servers run in their own VPC on GCP, inaccessible to external network traffic.
Security Testing
All developers at Nudge AI are required to go through security training and all code developed at Nudge AI is reviewed for security vulnerabilities.
Regular security assessments include:
Infrastructure vulnerability scanning
Cloud configuration audits
API security testing
Incident Response
Our incident response program is designed to quickly detect, respond to, and mitigate security incidents while maintaining complete transparency with our customers.
Our dedicated incident response team operates with defined procedures for:
Rapid incident detection and classification
Systematic containment strategies
Evidence preservation and analysis
Root cause investigation
Service restoration and hardening
Incident severity levels are clearly defined and determine response procedures:
Critical: Immediate response with 1-hour SLA, potential data breach
High: 4-hour response SLA, service availability issues
Medium: 24-hour response SLA, limited security impact
Low: 24-48-hour response SLA, minimal security impact
Customer Communication Protocol:
Initial notification within 1 hour for critical incidents
Regular status updates throughout incident resolution
Detailed post-incident reports including root cause and preventive measures
Direct communication channel with our security team during incidents
Post-Incident Procedures:
Comprehensive incident documentation
Root cause analysis reports
Implementation of preventive measures
Updates to security policies and procedures based on lessons learned
Regular testing of incident response procedures through tabletop exercises
Report Vulnerabilities
Security vulnerabilities can be reported to contact@getnudgeai.com.
Security and Privacy Values
At Nudge AI, security and privacy aren't just compliance requirements – they are fundamental values woven into the fabric of our company culture. As an AI service provider in behavioral health, we understand that we are entrusted with our patients’ most sensitive and personal information. This trust is sacred to us, and we honor it by implementing rigorous security measures and privacy protocols. Our commitment ensures that behavioral health professionals and their patients can focus on what matters most – the journey toward healing and growth.
HIPAA Compliance
Our platform is engineered to meet or exceed all HIPAA Security, Privacy, and Breach Notification Rules requirements:
Administrative Safeguards: Documented policies and procedures for security management, workforce security, information access management, security awareness training, and incident response
Physical Safeguards: Controls to protect our physical infrastructure, workstations, and devices that may contain PHI
Technical Safeguards: Access controls, audit controls, integrity controls, and transmission security measures
We maintain comprehensive audit logs of all PHI access and modifications, enabling detailed accounting of disclosures when required
Our breach notification process follows HIPAA requirements, including:
Timely notification procedures
Documentation of breach assessment
Required reporting to covered entities
We conduct regular HIPAA compliance assessments, including:
Annual risk assessments
Documentation review and updates
Data handling practices include:
Minimum necessary access to PHI
Secure disposal of PHI following retention requirements
Encryption of PHI at rest and in transit
Secure backup and disaster recovery procedures
We provide HIPAA-compliant Business Associate Agreements (BAAs) that clearly outline:
Permitted uses and disclosures of PHI
Safeguard requirements
Breach notification obligations
Termination provisions
Regular employee HIPAA training includes:
Privacy and security requirements
Breach identification and reporting
Employees and Access
We use role-based access and a “Minimum necessary access to PHI” principle as mentioned above. Any form of sensitive data is only accessible to those employees with privileged access.
All Nudge AI contractors and employees undergo comprehensive background checks before joining our team, following industry best practices and local regulations.
We require signed Confidentiality Agreements and NDAs from everyone with access to sensitive or internal information.
Our security-first culture is reinforced through regular employee training and testing on current and emerging security threats.
Security Architecture
Nudge’s security model ensures in the event of a breach that if any data were to leak, that the individual(s) associated with the data cannot be traced. The data effectively sits as an anonymized blob of text.
Nudge AI is built on Google Cloud Platform (GCP) as its secure cloud platform.
Audio captured during a session is automatically deleted from our GCP servers within 7 days.
Nudge AI has signed BAAs with GCP and all third-party service providers, including: Deepgram and AssemblyAI, and various AI model providers including, OpenAI and Anthropic.
BAAs ensure PII/PHI data is handled with HIPAA compliance measures on third-party providers.
Nudge AI stores only redacted transcripts of data and documentation on its servers on GCP. All PII and PHI are redacted before Nudge stores data.
Databases
Data on Nudge AI databases are encrypted
Nudge isolates data on a per enterprise, clinician, and per patient basis, ensuring data cannot be comingled between patients
All data is stored on GCP in a datacenter in the USA
Network Architecture
Any data, including audio bytes, are transported over TLS 1.3, an encrypted network protocol to transport data.
Nudge AI’s servers run in their own VPC on GCP, inaccessible to external network traffic.
Security Testing
All developers at Nudge AI are required to go through security training and all code developed at Nudge AI is reviewed for security vulnerabilities.
Regular security assessments include:
Infrastructure vulnerability scanning
Cloud configuration audits
API security testing
Incident Response
Our incident response program is designed to quickly detect, respond to, and mitigate security incidents while maintaining complete transparency with our customers.
Our dedicated incident response team operates with defined procedures for:
Rapid incident detection and classification
Systematic containment strategies
Evidence preservation and analysis
Root cause investigation
Service restoration and hardening
Incident severity levels are clearly defined and determine response procedures:
Critical: Immediate response with 1-hour SLA, potential data breach
High: 4-hour response SLA, service availability issues
Medium: 24-hour response SLA, limited security impact
Low: 24-48-hour response SLA, minimal security impact
Customer Communication Protocol:
Initial notification within 1 hour for critical incidents
Regular status updates throughout incident resolution
Detailed post-incident reports including root cause and preventive measures
Direct communication channel with our security team during incidents
Post-Incident Procedures:
Comprehensive incident documentation
Root cause analysis reports
Implementation of preventive measures
Updates to security policies and procedures based on lessons learned
Regular testing of incident response procedures through tabletop exercises
Report Vulnerabilities
Security vulnerabilities can be reported to contact@getnudgeai.com.
Security and Privacy Values
At Nudge AI, security and privacy aren't just compliance requirements – they are fundamental values woven into the fabric of our company culture. As an AI service provider in behavioral health, we understand that we are entrusted with our patients’ most sensitive and personal information. This trust is sacred to us, and we honor it by implementing rigorous security measures and privacy protocols. Our commitment ensures that behavioral health professionals and their patients can focus on what matters most – the journey toward healing and growth.
HIPAA Compliance
Our platform is engineered to meet or exceed all HIPAA Security, Privacy, and Breach Notification Rules requirements:
Administrative Safeguards: Documented policies and procedures for security management, workforce security, information access management, security awareness training, and incident response
Physical Safeguards: Controls to protect our physical infrastructure, workstations, and devices that may contain PHI
Technical Safeguards: Access controls, audit controls, integrity controls, and transmission security measures
We maintain comprehensive audit logs of all PHI access and modifications, enabling detailed accounting of disclosures when required
Our breach notification process follows HIPAA requirements, including:
Timely notification procedures
Documentation of breach assessment
Required reporting to covered entities
We conduct regular HIPAA compliance assessments, including:
Annual risk assessments
Documentation review and updates
Data handling practices include:
Minimum necessary access to PHI
Secure disposal of PHI following retention requirements
Encryption of PHI at rest and in transit
Secure backup and disaster recovery procedures
We provide HIPAA-compliant Business Associate Agreements (BAAs) that clearly outline:
Permitted uses and disclosures of PHI
Safeguard requirements
Breach notification obligations
Termination provisions
Regular employee HIPAA training includes:
Privacy and security requirements
Breach identification and reporting
Employees and Access
We use role-based access and a “Minimum necessary access to PHI” principle as mentioned above. Any form of sensitive data is only accessible to those employees with privileged access.
All Nudge AI contractors and employees undergo comprehensive background checks before joining our team, following industry best practices and local regulations.
We require signed Confidentiality Agreements and NDAs from everyone with access to sensitive or internal information.
Our security-first culture is reinforced through regular employee training and testing on current and emerging security threats.
Security Architecture
Nudge’s security model ensures in the event of a breach that if any data were to leak, that the individual(s) associated with the data cannot be traced. The data effectively sits as an anonymized blob of text.
Nudge AI is built on Google Cloud Platform (GCP) as its secure cloud platform.
Audio captured during a session is automatically deleted from our GCP servers within 7 days.
Nudge AI has signed BAAs with GCP and all third-party service providers, including: Deepgram and AssemblyAI, and various AI model providers including, OpenAI and Anthropic.
BAAs ensure PII/PHI data is handled with HIPAA compliance measures on third-party providers.
Nudge AI stores only redacted transcripts of data and documentation on its servers on GCP. All PII and PHI are redacted before Nudge stores data.
Databases
Data on Nudge AI databases are encrypted
Nudge isolates data on a per enterprise, clinician, and per patient basis, ensuring data cannot be comingled between patients
All data is stored on GCP in a datacenter in the USA
Network Architecture
Any data, including audio bytes, are transported over TLS 1.3, an encrypted network protocol to transport data.
Nudge AI’s servers run in their own VPC on GCP, inaccessible to external network traffic.
Security Testing
All developers at Nudge AI are required to go through security training and all code developed at Nudge AI is reviewed for security vulnerabilities.
Regular security assessments include:
Infrastructure vulnerability scanning
Cloud configuration audits
API security testing
Incident Response
Our incident response program is designed to quickly detect, respond to, and mitigate security incidents while maintaining complete transparency with our customers.
Our dedicated incident response team operates with defined procedures for:
Rapid incident detection and classification
Systematic containment strategies
Evidence preservation and analysis
Root cause investigation
Service restoration and hardening
Incident severity levels are clearly defined and determine response procedures:
Critical: Immediate response with 1-hour SLA, potential data breach
High: 4-hour response SLA, service availability issues
Medium: 24-hour response SLA, limited security impact
Low: 24-48-hour response SLA, minimal security impact
Customer Communication Protocol:
Initial notification within 1 hour for critical incidents
Regular status updates throughout incident resolution
Detailed post-incident reports including root cause and preventive measures
Direct communication channel with our security team during incidents
Post-Incident Procedures:
Comprehensive incident documentation
Root cause analysis reports
Implementation of preventive measures
Updates to security policies and procedures based on lessons learned
Regular testing of incident response procedures through tabletop exercises
Report Vulnerabilities
Security vulnerabilities can be reported to contact@getnudgeai.com.
Recent Blogs
Recent Blogs
AI Scribe
From Burden to Breakthrough: Reclaiming Your Time from EHR Documentation
Dec 4, 2025
Front Desk
Is Your Front Desk Costing You Clients? What Clinicians Should Know About AI Receptionists
Nov 7, 2025
Smart Billing
AI Coding (MDM) for Psychiatry — How to Evaluate + What to Test
Nov 4, 2025
AI Scribe
AI Scribe for Psychiatrists (Supports 90833)
Nov 4, 2025
AI Scribe
Which AI Scribe Should I Use for Behavioral Health? (Buyer’s Guide + Checklist)
Nov 4, 2025
Orthopedic Surgery
Postoperative Follow-Up (Orthopedic Surgery) — Template & Example
Nov 4, 2025
Show More
See How Nudge Can Transform Your Practice
Book Demo
© Copyright 2025, All Rights Reserved by Nudge AI
Made with ❤️ in San Francisco
See How Nudge Can Transform Your Practice
© Copyright 2025, All Rights Reserved by Nudge AI
Made with ❤️ in San Francisco
See How Nudge Can Transform Your Practice
© Copyright 2025, All Rights Reserved by Nudge AI
Made with ❤️ in San Francisco
See How Nudge Can Transform Your Practice
© Copyright 2025, All Rights Reserved by Nudge AI
Made with ❤️ in San Francisco
See How Nudge Can Transform Your Practice
© Copyright 2025, All Rights Reserved by Nudge AI
Made with ❤️ in San Francisco
See How Nudge Can Transform Your Practice
Book Demo
© Copyright 2025, All Rights Reserved by Nudge AI
Made with ❤️ in San Francisco
See How Nudge Can Transform Your Practice
Book Demo
© Copyright 2025, All Rights Reserved by Nudge AI
Made with ❤️ in San Francisco