Trust & security

1. Security posture at a glance

• HIPAA Business Associate — a BAA is signed with every practice (available on request).
• PHI encrypted in transit (TLS 1.3) and at rest (AES-256).
• Strict tenant isolation — each practice's data is separated at the database layer with PostgreSQL Row-Level Security, enforced by a constrained database role.
• Multi-factor authentication required for all users; passkeys (WebAuthn) supported.
• Tamper-evident audit trail — append-only, hash-chained, cryptographically signed, and verified daily.
• U.S. hosting on Aptible (AWS-backed), which maintains its own SOC 2 Type II and HITRUST.

2. Compliance & attestations

HIPAA

Willowcare LLC is a HIPAA Business Associate. We maintain a HIPAA Security Rule program — written security plan, an annual security risk assessment, a designated Security & Privacy Officer, an approved policy suite, an incident-response runbook, and breach-notification procedures — and we sign a BAA with each customer practice that defines our obligations for the PHI we process on their behalf.

SOC 2 — in progress (not yet certified)

We are pursuing a SOC 2 examination covering Security, Availability, and Confidentiality. Our readiness work — policies, evidence program, control automation, and a self-assessed controls gap analysis — is complete, and we are scheduling the independent Type I examination. We will share the report under NDA once it is issued. Until then we describe our actual controls rather than display a badge we have not earned.

Infrastructure attestations (inherited)

Our hosting provider, Aptible, holds SOC 2 Type II and HITRUST and provides the HIPAA-eligible, U.S.-based infrastructure (compute, managed PostgreSQL, encrypted object storage) that WillowBridge runs on.

3. Data protection

Encryption

All network traffic uses TLS 1.3 with HSTS. Data at rest is AES-256 encrypted. Particularly sensitive secrets (e.g., authenticator seeds and integration keys) receive an additional layer of authenticated AES-256-GCM encryption with versioned, rotatable keys. Passwords are stored with Argon2id.

Tenant isolation

Every practice ("tenant") is isolated at the database layer using PostgreSQL Row-Level Security. At runtime the application connects through a constrained role that cannot read across tenant boundaries, and an automated check in our build pipeline fails the release if any new data table is missing its isolation policy.

Access control

Access follows least-privilege and need-to-know with role-based permissions. MFA is mandatory; passkeys are supported. Internal access is limited, logged, and reviewed; sensitive document links are short-lived.

4. Audit & integrity

Access to PHI and security-relevant actions are recorded in an append-only audit log. Each entry is hash-chained to the previous one and cryptographically signed (Ed25519), so any tampering with history is detectable. The chain is verified automatically every night, and the log is exportable for your own audits and OIG/Joint-Commission defensibility.

5. Secure development

Security is built into our delivery pipeline. On every change we run:

• type checking, linting, and an automated test suite (including tenant-isolation tests);
• dependency vulnerability scanning (gating on high/critical) plus automated dependency updates;
• static application security testing (SAST) and secret scanning;
• a generated Software Bill of Materials (SBOM) for vulnerability response;
• an automated row-level-security coverage check that blocks any tenant table shipping without isolation.

Dynamic scanning (DAST) and an independent third-party penetration test are being performed as part of our SOC 2 Type I readiness; findings are tracked to closure.

6. Availability & resilience

Target availability is 99.9% per month (excluding scheduled maintenance), with a recovery-time objective of 4 hours and a recovery-point objective of 1 hour. The database supports point-in-time recovery and object storage is versioned; recovery procedures are documented and tested with restore drills. Operational status is published at status.willowbridge.app.

7. Subprocessors

We use a small set of vetted subprocessors; each that may touch PHI is covered by a BAA. The current list:

• Aptible — hosting, managed database, object storage (U.S.).
• Sentry — error monitoring (PHI scrubbed before transmission).
• Email provider — transactional email (no PHI in message bodies).
• Direct (HISP) — secure clinical document exchange to EMRs.
• Stripe — subscription billing (no PHI).

We provide advance notice of material subprocessor changes as set out in the BAA.

8. Your data & ownership

Your practice owns its data. You can export patient and billing records at any time (PDF, C-CDA, and structured formats). On termination, we provide a 90-day window to extract data, then securely destroy it and certify the destruction, as defined in the BAA.

9. Reporting a vulnerability

We welcome good-faith security research. If you believe you have found a vulnerability, email [email protected] with details and reproduction steps. Please do not access data that is not yours and give us a reasonable chance to remediate before any disclosure. We acknowledge reports promptly and will keep you updated on the fix.

10. Documentation on request

Under an NDA (and/or an executed BAA), we can share:

• the HIPAA Security Plan and policy-suite summary;
• the current security risk-assessment summary;
• the subprocessor list and SBOM;
• the penetration-test attestation (once available);
• the SOC 2 report (once issued).

11. Contact

• Security — [email protected]
• Privacy — [email protected]
• General — [email protected]