Security
Last updated on: 23rd April 2026
ThinkDoHappy Inc. operates the hpy platform, which provides software services to licensed clinicians and handles sensitive information about their clients. Security is a foundational requirement of hpy's operations.
This page describes hpy's current security posture. Controls in production and programs in preparation are each identified. The page is updated as status changes.
ThinkDoHappy Inc. operates the hpy platform, which provides software services to licensed clinicians and handles sensitive information about their clients. Security is a foundational requirement of hpy's operations.
This page describes hpy's current security posture. Controls in production and programs in preparation are each identified. The page is updated as status changes.
Security Contact
For vulnerability reports, security concerns, BAA requests, and security questionnaires:
Response time: within one business day.
Security Contact
For vulnerability reports, security concerns, BAA requests, and security questionnaires:
Response time: within one business day.
Compliance Posture
HIPAA
ThinkDoHappy Inc. operates as a Business Associate under HIPAA. The company's program includes:
A signed BAA with every customer prior to the upload of any PHI.
Signed BAAs with every subprocessor that may process PHI.
A designated HIPAA Security Officer and Privacy Officer.
Encryption of PHI at rest and in transit.
Access control, authentication, and logging consistent with the HIPAA Security Rule.
Documented incident response and breach notification procedures.
HIPAA documentation, including the risk assessment, written policies and procedures, and workforce training records, is being finalized in preparation for third-party attestation. Detailed documentation is made available to enterprise customers under NDA upon request.
SOC 2
ThinkDoHappy Inc. is preparing for SOC 2 Type I audit. Controls are designed against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. The audit report will be published upon issuance.
ThinkDoHappy Inc. is not SOC 2 certified at this time. No claim of certification will be made prior to issuance of an audit report.
Compliance Posture
HIPAA
ThinkDoHappy Inc. operates as a Business Associate under HIPAA. The company's program includes:
A signed BAA with every customer prior to the upload of any PHI.
Signed BAAs with every subprocessor that may process PHI.
A designated HIPAA Security Officer and Privacy Officer.
Encryption of PHI at rest and in transit.
Access control, authentication, and logging consistent with the HIPAA Security Rule.
Documented incident response and breach notification procedures.
HIPAA documentation, including the risk assessment, written policies and procedures, and workforce training records, is being finalized in preparation for third-party attestation. Detailed documentation is made available to enterprise customers under NDA upon request.
SOC 2
ThinkDoHappy Inc. is preparing for SOC 2 Type I audit. Controls are designed against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. The audit report will be published upon issuance.
ThinkDoHappy Inc. is not SOC 2 certified at this time. No claim of certification will be made prior to issuance of an audit report.
Infrastructure
Hosting: Amazon Web Services (AWS), us-east-1 (N. Virginia, United States)
Data residency: PHI is stored in the United States.
Encryption at rest: AES-256 across all data stores.
Encryption in transit: TLS 1.2 or higher on all public endpoints.
Tenancy: Multi-tenant application with logical isolation per customer account.
Backups: Daily automated backups, retained for seven days.
Data retention: Customer data is retained for 30 days after account termination, after which it is deleted, except where retention is required by the BAA, applicable law, or a legal hold.
Infrastructure
Hosting: Amazon Web Services (AWS), us-east-1 (N. Virginia, United States)
Data residency: PHI is stored in the United States.
Encryption at rest: AES-256 across all data stores.
Encryption in transit: TLS 1.2 or higher on all public endpoints.
Tenancy: Multi-tenant application with logical isolation per customer account.
Backups: Daily automated backups, retained for seven days.
Data retention: Customer data is retained for 30 days after account termination, after which it is deleted, except where retention is required by the BAA, applicable law, or a legal hold.
Authentication and Access
Web platform: Passwordless login via time-limited magic link or one-time passcode (OTP) delivered to a verified email address. Reusable passwords are not stored.
HPY Mobile: SAML single sign-on (SSO) is supported for organizations that require it, in addition to magic link and OTP authentication.
Internal access: Multi-factor authentication is required on all staff systems. Production access is role-based, requested, approved, and reviewed periodically.
Least privilege: Staff access to PHI is limited to that required by the employee's role.
Authentication and Access
Web platform: Passwordless login via time-limited magic link or one-time passcode (OTP) delivered to a verified email address. Reusable passwords are not stored.
HPY Mobile: SAML single sign-on (SSO) is supported for organizations that require it, in addition to magic link and OTP authentication.
Internal access: Multi-factor authentication is required on all staff systems. Production access is role-based, requested, approved, and reviewed periodically.
Least privilege: Staff access to PHI is limited to that required by the employee's role.
AI and Subprocessors
ThinkDoHappy Inc. uses third-party services to provide AI and transcription features. A Business Associate Agreement is maintained with every subprocessor in the PHI data path.
Data use and AI training. ThinkDoHappy Inc. does not use Customer Data to train any AI model, and Customer Data submitted through Viv is not used by ThinkDoHappy Inc.'s subprocessors to train their models. Audio recordings are never retained after processing. Only a diarized summary of the session is stored; raw transcripts are stored in encrypted form and are not post-processed or used for any secondary purpose. Protection is enforced at the infrastructure layer.
AI and Subprocessors
ThinkDoHappy Inc. uses third-party services to provide AI and transcription features. A Business Associate Agreement is maintained with every subprocessor in the PHI data path.
Data use and AI training. ThinkDoHappy Inc. does not use Customer Data to train any AI model, and Customer Data submitted through Viv is not used by ThinkDoHappy Inc.'s subprocessors to train their models. Audio recordings are never retained after processing. Only a diarized summary of the session is stored; raw transcripts are stored in encrypted form and are not post-processed or used for any secondary purpose. Protection is enforced at the infrastructure layer.
A current subprocessor list is available at request. Customers receive at least 30 days' notice of material subprocessor changes in accordance with the BAA.
A current subprocessor list is available at request. Customers receive at least 30 days' notice of material subprocessor changes in accordance with the BAA.
Application Security
All production code changes undergo peer review.
Automated dependency and vulnerability scanning is integrated into CI.
Production deployments occur through CI/CD; direct pushes to main are prohibited.
Secrets are managed in AWS Secrets Manager and are not committed to source control.
Audit logs are retained for 365 days.
Application Security
All production code changes undergo peer review.
Automated dependency and vulnerability scanning is integrated into CI.
Production deployments occur through CI/CD; direct pushes to main are prohibited.
Secrets are managed in AWS Secrets Manager and are not committed to source control.
Audit logs are retained for 365 days.
Workforce Security
All ThinkDoHappy Inc. employees complete HIPAA and security training on onboarding and annually thereafter.
Company-issued devices require full-disk encryption and enforced screen-lock.
Multi-factor authentication is required on all work accounts.
Access is revoked on role change or departure through a documented offboarding process.
Workforce Security
All ThinkDoHappy Inc. employees complete HIPAA and security training on onboarding and annually thereafter.
Company-issued devices require full-disk encryption and enforced screen-lock.
Multi-factor authentication is required on all work accounts.
Access is revoked on role change or departure through a documented offboarding process.
Incident Response
The incident response plan is owned by the Security Officer (Anurag).
All security incidents are reported to the Security Officer within one hour of discovery.
Customers are notified of incidents affecting their data in accordance with the BAA and applicable law, no later than 60 days after discovery, and sooner where the BAA requires.
Report a security incident: anurag@thinkhpy.com
Incident Response
The incident response plan is owned by the Security Officer (Anurag).
All security incidents are reported to the Security Officer within one hour of discovery.
Customers are notified of incidents affecting their data in accordance with the BAA and applicable law, no later than 60 days after discovery, and sooner where the BAA requires.
Report a security incident: anurag@thinkhpy.com
Current Gaps and Planned Controls
ThinkDoHappy Inc. discloses the following gaps in its current security program:
SOC 2 Type II report: Not yet available. SOC 2 Type I audit is in preparation; Type II follows the required observation period.
Independent penetration test: Planned; not yet performed. An attestation letter will be published upon completion.
Public bug bounty program: Not currently offered. Responsible disclosure may be submitted to anurag@thinkhpy.com. ThinkDoHappy Inc. will not pursue legal action against researchers acting in good faith under this policy.
This section is updated as status changes.
Current Gaps and Planned Controls
ThinkDoHappy Inc. discloses the following gaps in its current security program:
SOC 2 Type II report: Not yet available. SOC 2 Type I audit is in preparation; Type II follows the required observation period.
Independent penetration test: Planned; not yet performed. An attestation letter will be published upon completion.
Public bug bounty program: Not currently offered. Responsible disclosure may be submitted to anurag@thinkhpy.com. ThinkDoHappy Inc. will not pursue legal action against researchers acting in good faith under this policy.
This section is updated as status changes.
Privacy
Our collection, use, and disclosure of personal information are described in our Privacy Policy at https://thinkhpy.com/privacy, which is incorporated into these Terms by reference. The BAA governs PHI. To the extent of any conflict regarding PHI, the BAA controls.
Privacy
Our collection, use, and disclosure of personal information are described in our Privacy Policy at https://thinkhpy.com/privacy, which is incorporated into these Terms by reference. The BAA governs PHI. To the extent of any conflict regarding PHI, the BAA controls.
Contact
Questions about these Terms?
General and legal inquiries: support@thinkhpy.com
Privacy questions: see https://thinkhpy.com/privacy
HIPAA / security questions: anurag@thinkhpy.com
ThinkDoHappy Inc. 14756 Via Mantova San Diego, CA 92127 United States
Contact
Questions about these Terms?
General and legal inquiries: support@thinkhpy.com
Privacy questions: see https://thinkhpy.com/privacy
HIPAA / security questions: anurag@thinkhpy.com
ThinkDoHappy Inc. 14756 Via Mantova San Diego, CA 92127 United States
For clarification on any provision of these Terms, contact support@thinkhpy.com.
For clarification on any provision of these Terms, contact support@thinkhpy.com.