Security Practices — BusyBook

    Practice management for solo massage therapists — Create your free account →

    BusyBook|
    (682) 437-6509
    BusyBook

    Security Practices

    Last updated: March 7, 2026Version 1.0

    Overview

    At BusyBook Ltd. Co., security is fundamental to our mission. We protect massage therapists' business data and their clients' sensitive health information through comprehensive security measures.

    Business Address: 1209 Mountain Road PL NE, Ste R, Albuquerque, NM 87110, USA

    Security Contact: [email protected]

    Our Security Commitment

    • HIPAA-aligned safeguards
    • Encryption at rest and in transit
    • Regular security assessments
    • Access controls and monitoring
    • Incident response procedures

    Technical Safeguards

    Encryption

    Data in Transit:

    • TLS 1.3 for all data transmission
    • HSTS (HTTP Strict Transport Security) enforced
    • Secure certificate pinning

    Data at Rest:

    • AES-256 encryption for database storage
    • Encrypted backups
    • Secure key management

    Authentication & Access Control

    • Multi-factor authentication (MFA) support
    • Role-based access controls (RBAC)
    • Session timeout after inactivity
    • Secure password requirements
    • OAuth 2.0 for third-party integrations

    Database Security

    • Row-level security (RLS) enforced
    • Automatic security patches
    • Regular backups with encryption
    • Point-in-time recovery capability
    • Database activity monitoring

    Infrastructure Security

    Hosting & Network

    • Secure, managed infrastructure with strong data isolation controls
    • Network isolation and segmentation
    • Firewall protection
    • DDoS protection
    • Intrusion detection systems

    Application Security

    • Regular dependency updates
    • Static code analysis
    • Dynamic application security testing
    • Input validation and sanitization
    • Protection against OWASP Top 10 vulnerabilities

    HIPAA Compliance

    As a platform supporting healthcare practices, we implement HIPAA Security Rule requirements:

    Administrative Safeguards

    • Security management process
    • Workforce security training
    • Information access management
    • Security incident procedures
    • Contingency planning
    • Business Associate Agreements

    Physical Safeguards

    • Facility access controls
    • Workstation security
    • Device and media controls

    Technical Safeguards

    • Access controls
    • Audit controls
    • Integrity controls
    • Transmission security

    Data Protection

    Your Business Data

    • Client contact information
    • Appointment records
    • Session notes (SOAP notes)
    • Payment and billing data
    • Business analytics

    Your Client Data

    • Health information
    • Treatment records
    • Communications
    • Documents and files

    How We Protect It

    • All data encrypted in transit and at rest
    • Access limited to authorized users
    • Audit logs of all data access
    • Regular security assessments
    • Vulnerability management program

    Incident Response

    1. Detection: Automated monitoring identifies potential incidents
    2. Assessment: Security team evaluates severity and scope
    3. Containment: Immediate steps to limit impact
    4. Investigation: Root cause analysis
    5. Notification: Affected users notified within 24 hours
    6. Recovery: Systems restored and secured
    7. Post-Incident: Lessons learned and improvements

    Your Role

    If you suspect a security incident: immediately change your password, contact [email protected], document what you observed, and do not delete any data.

    Your Security Responsibilities

    Account Security

    • Use strong, unique passwords
    • Enable multi-factor authentication
    • Keep credentials confidential
    • Log out when finished
    • Report suspicious activity

    Data Handling

    • Only collect necessary information
    • Obtain proper consent
    • Use secure networks
    • Regularly export and back up

    Compliance

    • Maintain HIPAA compliance
    • Keep consent forms on file
    • Train staff on privacy
    • Report breaches per state law

    Third-Party Security

    We carefully vet our subprocessors with security assessments, regular reviews, contractual requirements, and ongoing monitoring.

    Compliance & Certifications

    • HIPAA Security Rule compliance — administrative, physical, and technical safeguards in place
    • SOC 2 Type II — controls implemented; formal certification in progress
    • Ongoing internal security testing, code review, and vulnerability scanning
    • External security assessment roadmap in development

    Questions & Contact

    General Security Questions: [email protected]

    Report Security Issue: [email protected]

    Address: 1209 Mountain Road PL NE, Ste R, Albuquerque, NM 87110, USA

    Bug Bounty: We welcome responsible disclosure. Contact us before testing.

    Trust is earned. We work every day to protect yours.