Is NeuroPath HIPAA-compliant?

Yes. All clinical surfaces of NeuroPath run on BAA-covered Google Cloud services: Firebase Hosting, Cloud Run, Firebase Auth, and Firestore. Authentication is required for every clinical interaction. Per HIPAA §164.312(a)(2)(iii), sessions automatically log off after 15 minutes of inactivity. Data is encrypted at rest and in transit, and all access is audit-logged.

Is NeuroPath FERPA-compliant for school deployments?

Yes. In school-district deployments, NeuroPath operates as a school official with legitimate educational interest under FERPA 20 U.S.C. §1232g, under written agreement with the district. Parent consent governs cross-organization data sharing between school, hospital, and home settings.

Where is NeuroPath hosted?

NeuroPath is hosted entirely on Google Cloud in U.S. regions, under an executed BAA with Google. The public marketing site at neuropathhealth.com is served by Firebase Hosting and contains no patient data. Clinical surfaces live on app.neuropathhealth.com behind Firebase Auth.

How do I report a security vulnerability?

NeuroPath follows a responsible-disclosure policy. Report suspected vulnerabilities to info@neuropathhealth.com. We commit to acknowledge within 72 hours and will not pursue legal action against researchers acting in good faith under the scope of our policy.

Trust & Security — NeuroPath Health

HIPAA

HIPAA Posture

NeuroPath Health operates under a HIPAA-aligned architecture. Our school deployments do not require Protected Health Information (PHI) — district-facing workflows use educational records governed by FERPA, which keeps the system outside HIPAA’s scope for those customers. Hospital and clinical deployments that handle PHI operate under a signed Business Associate Agreement (BAA).

PHI is stored and transmitted only where clinically required; never in school-side workflows.
Minimum-necessary data principle applied at every integration boundary.
Encryption in transit (TLS 1.2+) and at rest (AES-256).
Role-based access controls and audit logging for all PHI interactions.
BAA template available on request for pilot partners handling PHI.

Note for institutional buyers: Our HIPAA documentation — BAA template, risk assessment, and administrative/technical/physical safeguards summary — is available on request. We’re actively building toward a full HIPAA compliance attestation and will publish it here when complete.

Questions? info@neuropathhealth.com

Security

Security Program

NeuroPath Health is built on Google Cloud infrastructure with modern security controls from the ground up. Our program emphasizes defense in depth, least-privilege access, and continuous monitoring.

Infrastructure: Google Cloud Platform, with Vertex AI VPC for model operations.
Encryption: TLS 1.2+ in transit, AES-256 at rest.
Authentication: Staff SSO with multi-factor authentication; Firebase Auth with MFA for admin users.
Access control: Role-based permissions, principle of least privilege, separation of duties.
Audit logging: All PHI/PII access logged with immutable audit trail.
Code review and secrets management: Git-based review, secrets stored in managed secret stores (never in source).
Dependency monitoring: Automated vulnerability scanning on all third-party packages.

Independent assessments: SOC 2 Type I is under active planning. Our target is to complete Type I in our first full operating year and progress to Type II thereafter. Penetration testing cadence and scope will be published alongside the Type I attestation. Pilot partners with accelerated procurement timelines can request a tailored security review.

Security questions or responsible disclosure: security@neuropathhealth.com

Clinical Reliability

Clinical Reliability Harness

NeuroPath Health auto-generates three tiers of clinical output: student profiles, proposed target behaviors, and candidate intervention plans. Because those outputs inform decisions about real children, they are scored daily against a licensed clinician — and the system pauses itself when reliability slips. This section documents how that oversight works so buyers, compliance officers, and clinicians can evaluate it directly.

Scoring methodology

Every generated output is evaluated item-by-item across multiple independent clinical dimensions spanning operational precision, target selection, intervention fit, and behavioral function. Matching is function-based rather than strict-wording; an item counts as agreement when it addresses the same behavioral function the reviewing clinician would have written, even if phrasing differs. The aggregate output score is the percentage of agreeing items. Specific dimension weightings are shared with pilot partners under NDA.

Behavioral function accuracy is load-bearing. Our scoring framework places primary weight on whether the hypothesized behavioral function is correct — it is treated as a gating clinical check rather than one checkbox among many. Exact weighting methodology is available to pilot partners under NDA.

Daily 33% clinician review

A 33% random sample of every previous day’s generated outputs is routed to our licensed clinical co-founder (BCBA-D, Psy.D) for formal inter-rater agreement scoring.
The sample is stratified so each district, school, and presenting category that produced output that day is represented at least once.
Per-metric ratings (agree / partial / disagree), free-text rationale, and categorical reason codes are captured for every scored item.
Structured reason codes are captured on every disagreement. The taxonomy is clinician-owned and extensible as new patterns emerge; the specific code set is shared with pilot partners under NDA.

Auto-pause thresholds

Each output tier is monitored independently. When clinician agreement for a tier falls below our defined reliability thresholds — either through sustained sub-threshold scoring or an error accumulation pattern — that tier auto-pauses pending supervised review. The exact thresholds are calibrated conservatively and are shared with pilot partners under NDA.

When a tier pauses, generation for that tier is suspended, the admin UI displays a visible banner naming the paused tier, and reactivation requires a clinician to review the flagged batch and explicitly re-enable. Every pause and re-enable event is written to the immutable audit trail with reviewer identity and timestamp.

Why the threshold is strict: An earlier draft proposed monitoring agreement over long rolling averages. Our clinical co-founder pushed back — that would let too many errors accumulate before the system pauses. The current rule fires meaningfully earlier. The purpose is never to “quietly drift.”

Reliability dashboard

Captured agreement data feeds an internal dashboard showing agreement percentage by output tier, by metric, by district, by school, and by clinician author, with trend lines over time. The data is maintained in the same shape a BCBA supervisor pulls for licensure-level inter-rater agreement documentation — so clinician customers can reuse it for their own credentialing records.

Clinical reliability questions or IOA documentation requests: clinical@neuropathhealth.com

Privacy

Privacy Policy

We’re building NeuroPath Health for families and institutions that have every reason to be careful with data — children with disabilities, their medical records, and the adults who advocate for them. We take that seriously.

What we collect. Depending on the deployment, NeuroPath Health may collect: staff and family account information (name, email, role), product usage telemetry, behavioral observation logs entered by authorized staff, and — in hospital and family deployments — clinical information imported with explicit consent (e.g., MyChart connections made by a parent for their own child).

What we don’t collect. In school deployments, we do not require or ingest Protected Health Information. Student records used for behavioral support are scoped to educational data governed by FERPA.

How we use data. We use data solely to deliver the product to the customer who provided it, to improve the product, and — where permitted and de-identified — to support research that advances the science of behavioral support. We never sell personal data. We don’t use family or student data to train third-party large language models.

Your rights. You can request access to, correction of, or deletion of your data at any time. For school and hospital deployments, the institution (district / hospital) is the data controller; we act as a processor under a Data Processing Agreement (DPA).

Data residency. United States.

Formal policy document: A full Privacy Policy and DPA template are being finalized in partnership with counsel. For the current draft or a deployment-specific DPA, contact us directly.

Privacy questions, data requests, or DPA: privacy@neuropathhealth.com

Terms

Terms of Service

NeuroPath Health is provided as a software-as-a-service tool for authorized institutional customers (schools, hospitals, clinics, care agencies) and, in limited preview, for families of children with behavioral support needs.

Customer data ownership. Your data is yours. Institutions retain ownership of their records; families retain ownership of their child’s records. NeuroPath Health acts as a processor and holds no residual rights to customer data beyond what is necessary to deliver the service.

Acceptable use. NeuroPath Health is a clinical decision support tool, not a replacement for professional clinical judgment, emergency services, or mandated reporting. The product is designed with hard-coded safety triggers that escalate to human authorities in crisis scenarios; those safeguards are not bypassable.

Service availability. We do not currently publish a formal SLA. Pilot agreements include service-availability expectations appropriate to the deployment. A published SLA will accompany our general-availability launch.

Pilot agreements. Pilot deployments are governed by a written agreement that covers scope, data handling, access, term, termination, and any customer-specific compliance requirements. We do not rely on clickthrough terms for institutional customers.

Formal Terms of Service: A complete Terms of Service and Master Services Agreement are being finalized. For the current draft or a pilot-stage agreement, contact us directly.

Legal / contracts: legal@neuropathhealth.com

Pilot-stage disclosure. NeuroPath Health is in early pilot phase. The documentation above reflects our current posture and commitments. Several formal artifacts — full Privacy Policy, Terms of Service, SOC 2 attestation, published SLA — are in active development. We publish this page transparently because we’d rather under-claim today and over-deliver at launch. For any institutional buyer, procurement review, or family with a specific concern, we’re available by email and happy to walk through our current program in detail.