Trust Center — Willowcare

On SOC 2: honest posture

We're pursuing SOC 2 at the company level. Readiness work — policies, evidence program and control automation — is in place; the independent examination is being scheduled. We will not display a badge until the report is issued.

Our posture

What's in place

SOC 2

In progress

An examination covering Security, Availability and Confidentiality is being scheduled across Willowcare and both products. We publish no badge until the report is issued.

HIPAA

Active

Security Rule program with a designated Security & Privacy Officer; BAAs in place with every Willowbridge practice.

Encryption

By design

TLS 1.2+ in transit and AES-256 at rest, with managed key rotation.

Hosting & isolation

By design

U.S.-based hosting with strict per-tenant isolation and mandatory MFA on all administrative access.

100%

U.S.-hosted, encrypted in transit & at rest

SOC 2 in progress

Company-wide examination underway

0

PHI stored by TenorMD — anonymous by design

Per product

How each product handles data

Willowbridge

Operates as a HIPAA Business Associate and signs a BAA with every practice. PHI is encrypted, tenant-isolated, and access is logged and least-privilege. Care-time records are tamper-evident to support billing review and audit.

TenorMD

Built to hold no PHI. Feedback is anonymous by design and aggregated to protect respondents. A BAA is available on request for organizations that prefer one.

Subprocessors

Who we rely on

A representative register of the infrastructure providers behind the products. The full, current list is available on request.

Provider	Notes	Purpose
Cloud hosting	U.S. region · SOC 2 / HITRUST	Infrastructure
Managed database	Encrypted, U.S. region	Data storage
Error monitoring	PHI-scrubbed events	Observability
Transactional email	No PHI in message bodies	Notifications

Request our security packet → Back to overview