Security & Trust
Built for sensitive work
Interpreting agencies handle some of the most sensitive information there is. OneTerp is designed around protecting it, with strong access controls, encryption, and audit trails at the core.
Access control
- Role-based, agency-scoped permissions. Coordinators, admins, owners, and interpreters each see only what their role allows.
- Data is isolated per agency; an interpreter only sees the assignments shared with them.
- Server-enforced security rules on the database and file storage, not just the UI.
Encryption
- Encrypted in transit with TLS/HTTPS across the app and APIs.
- Encrypted at rest by Google Cloud by default.
Authentication & sessions
- A unique account and identity per person via Firebase Authentication.
- Optional email-verification gate on sign-in.
- 15-minute idle auto-logout with a warning, so an unattended screen doesn't stay open.
Audit & integrity
- An append-only, self-attributed activity log on sensitive actions (it records who/when/what, never the underlying PHI).
- Infrastructure-level data-access logging on the database.
- Database rules prevent unauthorized modification of records.
Backups & recovery
- Automated daily database backups.
- Point-in-time recovery to guard against accidental loss.
Minimizing exposure
- Text messages are kept free of patient/consumer details by design.
- Accounting sync strips identifying details before sending. Only an internal job reference leaves the platform.
- Platform administrators are walled off from agencies' operational data.
Infrastructure & sub-processors
OneTerp runs on Google Cloud and uses a small, deliberate set of providers. Vendors that could touch protected health information are covered by a Business Associate Agreement; the rest are kept out of PHI scope entirely.
| Provider | Used for | PHI handling |
|---|---|---|
| Google Cloud / Workspace | Hosting, database, file storage, email | Covered by a signed BAA |
| Stripe | Subscription billing | Kept PHI-free (billing data only) |
| Twilio | SMS notifications | Kept PHI-free by design |
| Intuit / QuickBooks | Optional accounting sync | PHI stripped before sync |
Our HIPAA posture
OneTerp acts as a Business Associate to the interpreting agencies it serves, and is built around the HIPAA Security Rule. Strong access controls, encryption, audit logging, and automatic logoff are in place, and our cloud infrastructure is covered by a Business Associate Agreement. Building a fully documented compliance program (risk assessment, policies, workforce training, and counsel review) is an ongoing effort, so we describe our safeguards rather than claim a certification. If your agency needs a Business Associate Agreement, reach out at bryan@oneterpscheduling.com.