Log InSign Up

Security - we take it seriously.

At SpeechFit, safety is one of our core values and we go to great lengths to keep you and your data safe. Below you will find some of the things we do to keep your data safe, along with frequently asked questions. Contact us if you would like to know more.

Contact Us

Bank-Grade IT Security

You trust us with your data; it is our responsibility to govern it wisely. That is why your data is protected by bank-grade security.


When it comes to handling Personally-Identifiable Information and Private Health Information, SpeechFit supports and adheres to the Australian Privacy Principles as set out by the Office of the Information Commissioner (OAIC).

SpeechFit is HIPAA-compliant. As covered entities, clinics who join SpeechFit agree to our BAA.

Infrastructure Certifications

SpeechFit is built on infrastructure that has been tested and validated by third-party auditors across ISO, PCI, SOC, and other certifications.

  • SOC 1/ISAE 3402, SOC 2, SOC 3


  • PCI DSS Level 1

  • ISO 9001, ISO 27001, ISO 27017, ISO 27018



Encryption at Rest

All data that is consumed or produced by the application or our cloud-based infrastructure is encrypted at rest.

Encryption in Transmission

When transmitting data between the application and our cloud-based infrastructure, we utilise 256-AES encryption and all API connections use SSL.

256-AES encryption is the only publicly accessible cipher that is approved by the NSA (National Security Agency) for encrypting top secret documents.

API-Level Security

We use cutting-edge technologies to eliminate data risk. No users can access your data without you first granting permissions - this is enforced at numerous levels. Unauthenticated access to our API is not available.

Each request to our API is signed with a single-use cryptographic hash. Our API then uses several randomly-generated unique identifiers that must resolve against your sharing settings before access to your data is granted. Furthermore, each piece of data may have different permissions, ensuring that only what you want your clinician (or client) to see is available to be queried. This is in addition to the numerous protections we include before making requests.

We do not use API keys, preferring JSON Web Tokens, a technology allowing transmission of data between parties in a way that requests can be signed, and any tampering during transmission can be identified once received. Apple authenticates their APIs with JSON Web Tokens. We use JWTs where other methods are not suitable.

Stripe's verification API ensures that your services are provisioned regularly without risk of interference.

Database Design

Our database structure, and the hosting thereof, adheres to the strictest standards of data security.

Best Practices in Application Design

We have architected the application in line with best practices in regard to data security, interfacing with APIs, persisting information such as cookies (we don't store PII in cookies or rely on cookies to run the application), maintaining timeout limits, and a number of other protections geared around ensuring that, if you are using a device with multiple users, your data will not be compromised when another user logs on to the device.


Access to our third party providers are protected by 2FA.

Clinician accounts can turn on 2FA before they invite their first client. Clients may also turn on 2FA.

Please note: if you are signing in with Google, 2FA is handled by Google. Any Google 2FA settings will apply when logging in to SpeechFit with Google.

Culture & Personnel

Security runs in the culture. As such, we select individuals who demonstrate congruence with our culture of safety and security, not only before we begin working with them, but throughout the duration of our association.

Below you will find some of the things we do to promote a culture of safety and security at SpeechFit.

Background Checks

Background checks and National Police Checks are mandatory for all employees, contractors or associates who may, at any time, handle your personal information, or have access to our IT systems. This includes software engineers, marketing personnel who may see limited personal information such as your name and email address, and customer success personnel who may need to access basic, account-level details to provide assistance.

While SpeechFit has no physical presence within clinics at this time, if at any time SpeechFit were to provide services that would require an employee, contractor, or associate to enter a clinic or be in the vicinity of children, Working with Children Checks would be additionally mandatory.


Even though we invest in keeping you and your data safe, SpeechFit remains prepared. This involves:

  • Data Breach Preparedness Plan

  • Regular Security Audits

  • Exit Procedures for Employees, Contractors and Associates

  • All Employees are required to undergo security training at least once a year


When we say, reach out to us with any questions, we mean it! Let us know if there is anything we can answer for you.

Frequently Asked Questions

For customers in Australia and New Zealand, your data is hosted in Melbourne and Sydney. For customers in the USA, your data is hosted in Ohio. For customers in Canada, your data is hosted in Montreal. For customers in the UK, your data is hosted in London and Ireland. All other customers have their data hosted in the closest data centre.

No. SpeechFit has never had a data breach.

You certainly may! Email us at hello@speechfit.io. Not only would we be happy to do so, it is your right under the Australian Privacy Principles.

Yes! Just email us at hello@speechfit.io. Please bear in mind that, if your data is deleted and there is no backup, it will be gone forever.

Email us at hello@speechfit.io. We take your concerns seriously and will get back to you as soon as possible.

Still have a question?

Footer ornament

Get Started for Free

No Credit Card Required.

download speechfit on the app store