Security
How my-cbt is built, where the data lives, and what we never touch.
Where the data lives
Your portal runs on Cloudflare’s global infrastructure. Each portal has its own isolated database, scoped to your domain. Client records, worksheet entries, notes, and bookings live there.
What we have access to
The software, the build pipeline, and operational logs (request rates, errors, performance). We do not have a query path into your client data. Application logs strip personally identifiable information before they reach us.
Encryption
- TLS 1.3 in transit
- At-rest encryption on the underlying storage
- Backups encrypted with the same scope as the live database
Authentication
Therapists log in with email and password plus optional two-factor. Clients log in with the method you choose: email magic link, password, or anonymous case-number login.
Backups
Daily snapshots, retained 30 days. One-click manual backup at any time, downloaded directly to your machine.
Data export and deletion
Full export at any time, in PDF or structured JSON. Bulk delete with two-step confirmation. We do not retain a copy after deletion.
Reporting an issue
If you find a security issue, email support@my-cbt.com with the subject line security. We respond within one business day.