Launch Offer

Founding 100 View terms

Grace App, AI practice management for Canadian mental health professionals
Trust Center

Security by design, not by afterthought.

Grace is built for Canadian mental health practices that need privacy, data security, and regulatory alignment woven into every layer of the platform, not bolted on after the fact.

Encryption at rest and in transit, Canadian data residency, granular access controls, and audit logging, everything is in place so you can focus on your clients.

Transparency. Accountability. Trust.

Our trust pillars

Every aspect of Grace is designed to meet the highest standards for Canadian mental health practice.

Security & Compliance

Full encryption at rest and in transit, role-based access controls, immutable audit logs, and SOC 2 Type II readiness.

Learn more

Canadian Health Privacy

Grace is designed to support the requirements of Canadian health privacy legislation, including PHIPA (Ontario), PIPEDA (federal), Law 25 (Quebec), and other provincial frameworks.

Learn more

Canadian Data Residency

All health data is hosted in Canadian data centers. No US CLOUD Act exposure. Data sovereignty maintained.

Learn more

Privacy Policy

Read our detailed privacy policy covering how we collect, use, and protect personal information.

Read policy

Our security commitments

The concrete measures we take to protect your client data at every step.

Full encryption

Full encryption for data at rest and in transit. Encryption keys are securely managed and rotated regularly.

SOC 2 Type II readiness

Our infrastructure and processes are designed against SOC 2 trust criteria: security, availability, processing integrity, confidentiality, and privacy.

Data stays in Canada

Primary hosting in the Montreal region (Canada). No health data crosses the border. No exposure to the US CLOUD Act.

Breach response commitment

Grace has documented incident response protocols. Notification requirements vary by jurisdiction: PIPEDA requires notification "as soon as feasible" with 24-month breach record retention, Quebec's Law 25 requires notification within 72 hours, and PHIPA requires notification to the IPC.

Regulatory approach

Designed to support Canadian health privacy legislation

Grace isn't a generic tool with a compliance layer bolted on. The platform is built from the ground up with the requirements of PHIPA (Ontario), PIPEDA (federal), Law 25 (Quebec), and other provincial frameworks as a foundational design guide.

From informed consent and access controls to audit logging and data residency, every feature is designed to help mental health professionals meet their obligations across all provinces.

Informed consent

Built-in consent workflows for the collection and use of personal health information.

Access controls

Role-based access with least-privilege principle to protect client records.

Audit logging

Immutable logging of every access and modification to personal health information.

Breach notification

Incident response protocols and notification procedures aligned with legal requirements, with 24-month breach record retention.

Data portability

Designed to support data portability requests under PIPEDA's mobility framework and Quebec's Law 25.

Ready to see Grace in action?

See how Grace can help your practice meet its health data privacy and security obligations.

Book a demo Join Founding 100
Book a demo Join Founding 100

Join the Founding 100

3 months fully free. No commitment. No credit card.

3 months freeNo commitmentNo credit cardThen $99/mo, rate guaranteed

Limited to the first 100 founding partners.