Back
ABAIQ

Security & Development Practices

How ABAIQ protects your clinical data

Effective Date: February 21, 2026

1. Overview

ABAIQ is an AI-powered documentation assistant for Applied Behavior Analysis (ABA) professionals. It helps clinicians generate session note drafts faster by working alongside any web-based practice management system through a Chrome browser extension.

ABAIQ is not an electronic health record (EHR), a medical record system, or a clinical decision-making tool. It is a documentation productivity tool designed with healthcare data security as a foundational requirement, not an afterthought.

This document describes the security architecture, safeguards, and development practices that ABAIQ follows to protect your clinical data and maintain compliance with the HIPAA Security Rule.

2. Data Architecture & Flow

Understanding how your data moves through ABAIQ is critical to evaluating our security posture. Here is the complete data flow:

  1. The Chrome extension reads clinical session data that is already visible on your screen within your practice management system. It does not access any backend systems, APIs, or databases of the platform you are using.
  2. Your session inputs are sent over an encrypted (TLS 1.2+) connection to the ABAIQ backend API, which requires a valid authentication token for every request.
  3. The ABAIQ backend forwards the session data to our AI provider, with whom we maintain a Business Associate Agreement (BAA). The AI provider processes the data in real-time via streaming.
  4. The generated clinical note draft is streamed back to your browser for review. You control whether to accept, edit, or discard the note.
  5. Once you close the extension sidebar or export your note, no copy of the generated note remains on ABAIQ servers. We do not store the content of clinical notes.

Key principle: Clinical note content passes through ABAIQ but is never stored by ABAIQ. Our AI provider operates under a BAA with a zero-retention policy, meaning session data is not retained or used for model training.

3. Administrative Safeguards

Administrative safeguards establish the policies, procedures, and organizational measures to manage security:

  • Access management: Only authenticated users with valid accounts can access the ABAIQ extension and API. Each user must register with a verified email address and phone number.
  • Authentication: Users authenticate via email and password. Multi-factor authentication (MFA) via SMS is available and enabled during web login to add an additional layer of account protection.
  • Business Associate Agreements: We maintain a BAA with our AI provider that governs the handling, processing, and non-retention of clinical data. BAAs are available for client organizations upon request.
  • Breach notification: In the event of a confirmed data breach affecting personal or clinical information, we will notify affected users within 72 hours and notify applicable regulatory authorities as required by law.
  • Personnel access: Access to production systems and infrastructure is restricted to authorized personnel on a need-to-know basis.
  • Security reviews: We conduct regular security assessments of our codebase, infrastructure, and vendor relationships.

4. Technical Safeguards

Technical safeguards are the technology-based controls that protect data and control access:

🔐 Encryption in transit: All data transmitted between the extension, our API, and our AI provider is encrypted using TLS 1.2 or higher.
🔒 Encryption at rest: Account metadata and user profile data stored in our database are encrypted at rest by our infrastructure provider.
🔑 Token-based authentication: Every API request to the ABAIQ backend requires a valid, time-limited authentication token verified against our auth system.
🚧 No PHI in URLs: Clinical data is transmitted exclusively via encrypted POST request bodies, never in URL parameters or query strings.
📝 Audit logging: All API requests are logged with timestamps, user identifiers, and request metadata for accountability and incident investigation.
🛠 Secure development: Code changes undergo review before deployment. Dependencies are regularly audited for known vulnerabilities.

5. Physical Safeguards

ABAIQ does not operate its own data centers or physical servers. All infrastructure is hosted by third-party cloud providers that maintain robust physical security controls:

  • Our infrastructure providers are SOC 2 certified, meaning they have been independently audited for security, availability, and confidentiality controls.
  • Data centers used by our providers include physical access controls, surveillance, environmental protections, and redundancy measures.
  • ABAIQ personnel do not have physical access to any servers or data center facilities. All infrastructure management is performed remotely through authenticated and encrypted channels.

6. Data Minimization

We follow the principle of collecting and processing only the minimum amount of data necessary to deliver the service:

  • Screen reading only: The extension reads only data that is already visible to you on your screen. It does not access hidden fields, internal APIs, databases, or backend systems of any third-party platform.
  • Targeted data processing: Only the clinical session data necessary to generate a note draft is sent to the AI provider. No additional patient records, history, or unrelated data is transmitted.
  • No note storage: Generated clinical notes are never stored on ABAIQ servers or in our database. Notes exist only in your browser memory during the active session.
  • Metadata only: We retain only usage metadata (number of notes generated, timestamps) for billing and analytics. Note content is never recorded.
  • No secondary use: Your clinical data is never used for advertising, marketing, analytics, AI model training, or any purpose other than generating your requested note.

7. Business Associate Agreements

Business Associate Agreements are a cornerstone of HIPAA compliance when third parties handle protected health information:

  • AI provider BAA: We maintain a signed BAA with our AI provider that governs how clinical session data is processed. Under this agreement, the AI provider processes data in real-time, does not retain session data, and does not use it for model training or improvement.
  • BAA for your organization: If your clinic, agency, or practice requires a Business Associate Agreement directly with ABAIQ (Hybreu Digital LLC), we are prepared to execute one. Contact us at support@abaiq.ai to initiate the process.

8. Third-Party Vendors

ABAIQ uses a limited number of third-party services to operate. We evaluate each vendor for security practices and compliance posture:

Service Category Purpose Data Handled
Authentication & Database User registration, login, account storage Account data (name, email, phone)
AI Provider Real-time clinical note generation Session inputs (processed, not retained)
Payment Processor Subscription billing Billing details (we never see full card numbers)
SMS Provider Multi-factor authentication delivery Phone number (for OTP codes only)

Each provider maintains their own security certifications and compliance standards. Our AI provider operates under a BAA with ABAIQ.

9. Extension Permissions & Behavior

Transparency about what the ABAIQ Chrome extension can and cannot do:

  • What it reads: Visible on-screen data within your practice management system, including session fields such as client initials, dates, behavior descriptions, and service codes.
  • What it writes: At your direction, the extension can write user-approved content (such as generated note drafts) back into form fields within your practice management system. This only happens when you explicitly trigger it.
  • What it does NOT do: The extension does not access other browser tabs, intercept network traffic, access internal APIs or databases of any third-party platform, read data from other users, or communicate with any server other than the ABAIQ backend.
  • Local storage: The extension stores per-client preferences (such as behavior functions and training objectives) locally on your device in Chrome's extension storage. This data is not synced to the cloud and is not accessible to other extensions or websites. You can clear it at any time.

10. Compliance Posture

ABAIQ implements administrative, technical, and physical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subparts A and C). Key aspects of our compliance posture:

  • We design our architecture around the principle that clinical note content should never be stored on our servers.
  • We maintain BAAs with downstream vendors that process clinical data.
  • We implement access controls, encryption, and audit logging across all system components.
  • We are available for security assessments and can provide documentation to support your organization's vendor evaluation process.

Important: ABAIQ is a documentation assistance tool. It does not replace or reduce the compliance obligations of covered entities or business associates under HIPAA. You are responsible for ensuring your overall use of ABAIQ complies with HIPAA and applicable state regulations. All generated notes must be reviewed, verified, and approved by a qualified professional before clinical use.

11. Related Policies

For additional information about how we handle your data and the terms governing the Service, please review:

  • Privacy Policy — Full details on data collection, storage, retention, and your rights
  • Terms of Service — Usage terms, professional responsibility, and liability limitations
  • About ABAIQ — Our story, values, and mission

12. Contact Us

For security questions, BAA requests, or to report a vulnerability, contact us:

Hybreu Digital LLC (DBA ABAIQ)
Email: support@abaiq.ai

Need a BAA or security documentation?

We're ready to support your compliance process.

Contact Security