Security
Last updated on: 23rd April 2026
ThinkDoHappy Inc. operates the hpy platform, which provides software services to licensed clinicians and handles sensitive information about their clients. Security is a foundational requirement of hpy's operations.
This page describes hpy's current security posture. Controls in production and programs in preparation are each identified. The page is updated as status changes.
ThinkDoHappy Inc. operates the hpy platform, which provides software services to licensed clinicians and handles sensitive information about their clients. Security is a foundational requirement of hpy's operations.
This page describes hpy's current security posture. Controls in production and programs in preparation are each identified. The page is updated as status changes.
Security Contact
For vulnerability reports, security concerns, BAA requests, and security questionnaires:
Response time: within one business day.
Security Contact
For vulnerability reports, security concerns, BAA requests, and security questionnaires:
Response time: within one business day.
Compliance Posture
HIPAA
ThinkDoHappy Inc. operates as a Business Associate under HIPAA. The company's program includes:
A signed BAA with every customer prior to the upload of any PHI.
Signed BAAs with every subprocessor that may process PHI.
A designated HIPAA Security Officer and Privacy Officer.
Encryption of PHI at rest and in transit.
Access control, authentication, and logging consistent with the HIPAA Security Rule.
Documented incident response and breach notification procedures.
HIPAA documentation, including the risk assessment, written policies and procedures, and workforce training records, is being finalized in preparation for third-party attestation. Detailed documentation is made available to enterprise customers under NDA upon request.
SOC 2
ThinkDoHappy Inc. is preparing for SOC 2 Type I audit. Controls are designed against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. The audit report will be published upon issuance.
ThinkDoHappy Inc. is not SOC 2 certified at this time. No claim of certification will be made prior to issuance of an audit report.
Compliance Posture
HIPAA
ThinkDoHappy Inc. operates as a Business Associate under HIPAA. The company's program includes:
A signed BAA with every customer prior to the upload of any PHI.
Signed BAAs with every subprocessor that may process PHI.
A designated HIPAA Security Officer and Privacy Officer.
Encryption of PHI at rest and in transit.
Access control, authentication, and logging consistent with the HIPAA Security Rule.
Documented incident response and breach notification procedures.
HIPAA documentation, including the risk assessment, written policies and procedures, and workforce training records, is being finalized in preparation for third-party attestation. Detailed documentation is made available to enterprise customers under NDA upon request.
SOC 2
ThinkDoHappy Inc. is preparing for SOC 2 Type I audit. Controls are designed against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. The audit report will be published upon issuance.
ThinkDoHappy Inc. is not SOC 2 certified at this time. No claim of certification will be made prior to issuance of an audit report.
Infrastructure
Hosting: Amazon Web Services (AWS), us-east-1 (N. Virginia, United States)
Data residency: PHI is stored in the United States.
Encryption at rest: AES-256 across all data stores.
Encryption in transit: TLS 1.2 or higher on all public endpoints.
Tenancy: Multi-tenant application with logical isolation per customer account.
Backups: Daily automated backups, retained for seven days.
Data retention: Customer data is retained for 30 days after account termination, after which it is deleted, except where retention is required by the BAA, applicable law, or a legal hold.
Infrastructure
Hosting: Amazon Web Services (AWS), us-east-1 (N. Virginia, United States)
Data residency: PHI is stored in the United States.
Encryption at rest: AES-256 across all data stores.
Encryption in transit: TLS 1.2 or higher on all public endpoints.
Tenancy: Multi-tenant application with logical isolation per customer account.
Backups: Daily automated backups, retained for seven days.
Data retention: Customer data is retained for 30 days after account termination, after which it is deleted, except where retention is required by the BAA, applicable law, or a legal hold.
Authentication and Access
Web platform: Passwordless login via time-limited magic link or one-time passcode (OTP) delivered to a verified email address. Reusable passwords are not stored.
HPY Mobile: SAML single sign-on (SSO) is supported for organizations that require it, in addition to magic link and OTP authentication.
Internal access: Multi-factor authentication is required on all staff systems. Production access is role-based, requested, approved, and reviewed periodically.
Least privilege: Staff access to PHI is limited to that required by the employee's role.
Authentication and Access
Web platform: Passwordless login via time-limited magic link or one-time passcode (OTP) delivered to a verified email address. Reusable passwords are not stored.
HPY Mobile: SAML single sign-on (SSO) is supported for organizations that require it, in addition to magic link and OTP authentication.
Internal access: Multi-factor authentication is required on all staff systems. Production access is role-based, requested, approved, and reviewed periodically.
Least privilege: Staff access to PHI is limited to that required by the employee's role.
AI and Subprocessors
ThinkDoHappy Inc. uses third-party services to provide AI and transcription features. A Business Associate Agreement is maintained with every subprocessor in the PHI data path.
Data use and AI training. ThinkDoHappy Inc. does not use Customer Data to train any AI model, and Customer Data submitted through Viv is not used by ThinkDoHappy Inc.'s subprocessors to train their models. Audio recordings are never retained after processing. Only a diarized summary of the session is stored; raw transcripts are stored in encrypted form and are not post-processed or used for any secondary purpose. Protection is enforced at the infrastructure layer.
AI and Subprocessors
ThinkDoHappy Inc. uses third-party services to provide AI and transcription features. A Business Associate Agreement is maintained with every subprocessor in the PHI data path.
Data use and AI training. ThinkDoHappy Inc. does not use Customer Data to train any AI model, and Customer Data submitted through Viv is not used by ThinkDoHappy Inc.'s subprocessors to train their models. Audio recordings are never retained after processing. Only a diarized summary of the session is stored; raw transcripts are stored in encrypted form and are not post-processed or used for any secondary purpose. Protection is enforced at the infrastructure layer.
A current subprocessor list is available at request. Customers receive at least 30 days' notice of material subprocessor changes in accordance with the BAA.
A current subprocessor list is available at request. Customers receive at least 30 days' notice of material subprocessor changes in accordance with the BAA.
Application Security
All production code changes undergo peer review.
Automated dependency and vulnerability scanning is integrated into CI.
Production deployments occur through CI/CD; direct pushes to main are prohibited.
Secrets are managed in AWS Secrets Manager and are not committed to source control.
Audit logs are retained for 365 days.
Application Security
All production code changes undergo peer review.
Automated dependency and vulnerability scanning is integrated into CI.
Production deployments occur through CI/CD; direct pushes to main are prohibited.
Secrets are managed in AWS Secrets Manager and are not committed to source control.
Audit logs are retained for 365 days.
Responsible disclosure
ThinkDoHappy Inc. welcomes reports from security researchers who identify vulnerabilities in the hpy platform. This policy describes how to report a vulnerability and the commitments ThinkDoHappy Inc. makes in return.
Reporting
Submit reports to security@thinkhpy.com. Include a description of the vulnerability, the affected asset, steps to reproduce, and any supporting evidence. PGP key available on request.
Response commitments
Acknowledgement of receipt within 2 business days.
Initial triage and severity assessment within 5 business days.
Status updates at least every 14 days until resolution.
Public credit on request, where the researcher consents.
Scope
In scope:
thinkhpy.comand*.thinkhpy.comweb.thinkhpy.com(hpy web platform)HPY Mobile applications (iOS and Android)
Public APIs documented at the above domains
Out of scope:
Third-party services and subprocessors (report to the relevant vendor)
Social engineering of ThinkDoHappy Inc. employees, contractors, customers, or end users
Physical attacks against ThinkDoHappy Inc. property or personnel
Denial-of-service or volumetric attacks
Automated scanning that generates significant traffic against production systems
Findings limited to missing security headers, SPF/DKIM/DMARC configuration, or theoretical issues without demonstrable impact
Rules of engagement
Do not access, modify, retain, or disclose Protected Health Information (PHI) or any personal data belonging to other users. If you encounter PHI in the course of testing, stop immediately and report.
Do not test with accounts other than your own. Test accounts on a non-production environment can be requested by emailing security@thinkhpy.com.
Do not perform testing that degrades, disrupts, or denies service to other users.
Do not exfiltrate any data. A proof-of-concept that demonstrates the vulnerability is sufficient.
Provide ThinkDoHappy Inc. a reasonable period to investigate and remediate before any public disclosure. We target 90 days from initial report; extensions may be agreed in writing for complex issues.
Safe harbor
ThinkDoHappy Inc. considers security research and vulnerability disclosure activities conducted in good faith and in accordance with this policy to be authorized conduct. ThinkDoHappy Inc. will not pursue or support civil or criminal action against researchers for activities that:
Comply with this policy;
Avoid privacy violations, destruction of data, and disruption of service;
Are limited to the scope defined above; and
Cease and report immediately upon any inadvertent access to PHI or other sensitive data.
This policy does not authorize action that would violate applicable law, and does not bind third parties. If legal action is initiated against a researcher who has complied with this policy, ThinkDoHappy Inc. will take steps to make it known that the activity was authorized.
Recognition
ThinkDoHappy Inc. does not currently operate a paid bug bounty program. Researchers who submit valid, in-scope reports may, at their option, be acknowledged on this page.
Responsible disclosure
ThinkDoHappy Inc. welcomes reports from security researchers who identify vulnerabilities in the hpy platform. This policy describes how to report a vulnerability and the commitments ThinkDoHappy Inc. makes in return.
Reporting
Submit reports to security@thinkhpy.com. Include a description of the vulnerability, the affected asset, steps to reproduce, and any supporting evidence. PGP key available on request.
Response commitments
Acknowledgement of receipt within 2 business days.
Initial triage and severity assessment within 5 business days.
Status updates at least every 14 days until resolution.
Public credit on request, where the researcher consents.
Scope
In scope:
thinkhpy.comand*.thinkhpy.comweb.thinkhpy.com(hpy web platform)HPY Mobile applications (iOS and Android)
Public APIs documented at the above domains
Out of scope:
Third-party services and subprocessors (report to the relevant vendor)
Social engineering of ThinkDoHappy Inc. employees, contractors, customers, or end users
Physical attacks against ThinkDoHappy Inc. property or personnel
Denial-of-service or volumetric attacks
Automated scanning that generates significant traffic against production systems
Findings limited to missing security headers, SPF/DKIM/DMARC configuration, or theoretical issues without demonstrable impact
Rules of engagement
Do not access, modify, retain, or disclose Protected Health Information (PHI) or any personal data belonging to other users. If you encounter PHI in the course of testing, stop immediately and report.
Do not test with accounts other than your own. Test accounts on a non-production environment can be requested by emailing security@thinkhpy.com.
Do not perform testing that degrades, disrupts, or denies service to other users.
Do not exfiltrate any data. A proof-of-concept that demonstrates the vulnerability is sufficient.
Provide ThinkDoHappy Inc. a reasonable period to investigate and remediate before any public disclosure. We target 90 days from initial report; extensions may be agreed in writing for complex issues.
Safe harbor
ThinkDoHappy Inc. considers security research and vulnerability disclosure activities conducted in good faith and in accordance with this policy to be authorized conduct. ThinkDoHappy Inc. will not pursue or support civil or criminal action against researchers for activities that:
Comply with this policy;
Avoid privacy violations, destruction of data, and disruption of service;
Are limited to the scope defined above; and
Cease and report immediately upon any inadvertent access to PHI or other sensitive data.
This policy does not authorize action that would violate applicable law, and does not bind third parties. If legal action is initiated against a researcher who has complied with this policy, ThinkDoHappy Inc. will take steps to make it known that the activity was authorized.
Recognition
ThinkDoHappy Inc. does not currently operate a paid bug bounty program. Researchers who submit valid, in-scope reports may, at their option, be acknowledged on this page.
Workforce Security
All ThinkDoHappy Inc. employees complete HIPAA and security training on onboarding and annually thereafter.
Company-issued devices require full-disk encryption and enforced screen-lock.
Multi-factor authentication is required on all work accounts.
Access is revoked on role change or departure through a documented offboarding process.
Workforce Security
All ThinkDoHappy Inc. employees complete HIPAA and security training on onboarding and annually thereafter.
Company-issued devices require full-disk encryption and enforced screen-lock.
Multi-factor authentication is required on all work accounts.
Access is revoked on role change or departure through a documented offboarding process.
Incident Response
The incident response plan is owned by the Security Officer (Anurag).
All security incidents are reported to the Security Officer within one hour of discovery.
Customers are notified of incidents affecting their data in accordance with the BAA and applicable law, no later than 60 days after discovery, and sooner where the BAA requires.
Report a security incident: security@thinkhpy.com
Incident Response
The incident response plan is owned by the Security Officer (Anurag).
All security incidents are reported to the Security Officer within one hour of discovery.
Customers are notified of incidents affecting their data in accordance with the BAA and applicable law, no later than 60 days after discovery, and sooner where the BAA requires.
Report a security incident: security@thinkhpy.com
Current Gaps and Planned Controls
ThinkDoHappy Inc. discloses the following gaps in its current security program:
SOC 2 Type II report: Not yet available. SOC 2 Type I audit is in preparation; Type II follows the required observation period.
Independent penetration test: Planned; not yet performed. An attestation letter will be published upon completion.
Public bug bounty program: Not currently offered. A responsible disclosure program with safe harbor is published at /security
This section is updated as status changes.
Current Gaps and Planned Controls
ThinkDoHappy Inc. discloses the following gaps in its current security program:
SOC 2 Type II report: Not yet available. SOC 2 Type I audit is in preparation; Type II follows the required observation period.
Independent penetration test: Planned; not yet performed. An attestation letter will be published upon completion.
Public bug bounty program: Not currently offered. A responsible disclosure program with safe harbor is published at /security
This section is updated as status changes.
Privacy
Our collection, use, and disclosure of personal information are described in our Privacy Policy at https://thinkhpy.com/privacy, which is incorporated into these Terms by reference. The BAA governs PHI. To the extent of any conflict regarding PHI, the BAA controls.
Privacy
Our collection, use, and disclosure of personal information are described in our Privacy Policy at https://thinkhpy.com/privacy, which is incorporated into these Terms by reference. The BAA governs PHI. To the extent of any conflict regarding PHI, the BAA controls.
Contact
Questions about these Terms?
General and legal inquiries: support@thinkhpy.com
Privacy questions: see https://thinkhpy.com/privacy
HIPAA / security questions: anurag@thinkhpy.com
ThinkDoHappy Inc. 14756 Via Mantova San Diego, CA 92127 United States
Contact
Questions about these Terms?
General and legal inquiries: support@thinkhpy.com
Privacy questions: see https://thinkhpy.com/privacy
HIPAA / security questions: anurag@thinkhpy.com
ThinkDoHappy Inc. 14756 Via Mantova San Diego, CA 92127 United States
For clarification on any provision of these Terms, contact support@thinkhpy.com.
For clarification on any provision of these Terms, contact support@thinkhpy.com.