// Trust & Security Report
Buoy Health, Inc.
AI-powered symptom checker and healthcare navigation platform. Primary product is Buoy Assistant, an AI chatbot for self-diagnosis, symptom triage, and care guidance based on user-reported symptoms.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on buoyhealth.com“Buoy is HITRUST-certified, which means we meet the highest standards for healthcare information protection. Earning this certification isn't easy, but this is about safety, and only the best will do.”
> Show 9 unconfirmed / not-held certifications
source: buoyhealth.comNo public evidence of SOC 2 certification found on vendor's website or trust resources.
source: buoyhealth.comNo public evidence of ISO 27001 certification found on vendor's website or trust resources.
source: buoyhealth.comHIPAA is a regulation, not a certification. The privacy policy acknowledges HIPAA and potential Business Associate status ('Buoy may qualify as a "Business Associate" (as defined by 45 C.F.R. 160.103) under the Health Insurance Portability and Accountability Act of 1996 as amended ("HIPAA")'), but no affirmative HIPAA-compliance attestation and no publicly offered Business Associate Agreement (BAA) were found on the vendor's website.
source: buoyhealth.comPrivacy policy explicitly states: 'Buoy is controlled and offered by us from the United States; accordingly, this Privacy Notice, and our collection, use and disclosure of your Personal Information, is governed by U.S. law.' No GDPR compliance mechanisms or adequacy documentation mentioned.
source: buoyhealth.comNo public evidence found for ISO 42001 or other AI governance certifications.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States only; company states service is controlled and offered from the U.S. No international data residency options or mechanisms described.
Privacy policy contains no disclosure of AI model training on customer data or opt-out mechanisms. Terms of Service grants Buoy 'a perpetual, irrevocable, worldwide, non-exclusive, royalty-free right to use Your Information in any manner determined solely by Buoy' (excluding HIPAA-protected info). No explicit opt-out for AI training purposes documented.
// Security controls
Encryption in Transit
Claimed but not specified. Policy states 'reasonable physical, technical, and administrative safeguards (such as firewalls, encryption, identity management, and intrusion prevention and detection)'.
buoyhealth.comData Residency
United States only. No details on specific cloud provider, data centers, or residency guarantees documented.
buoyhealth.comIncident Response
Security contact: security@buoyhealth.com. No public SLA or incident response policy published.
buoyhealth.comThird-Party Vendor Management
Policy notes 'Buoy cannot guarantee that any third party will protect the privacy of your Personal Information.' Shares data with unspecified third parties for support, analytics, fraud detection, and care coordination.
buoyhealth.comUnencrypted Text Messaging
Terms acknowledge: 'When you choose to send PHI through unencrypted text messages, you do so at your own risk.' This is a significant security gap for a healthcare product.
buoyhealth.com// Products & data scope
data: Health history, symptoms, location, demographics, employment/health plan data, device info, IP address
Core product: AI chatbot for symptom triage and healthcare navigation. Handles sensitive health information but no documented HIPAA compliance or BAA.
// What to watch
- HITRUST certification is from August 2020 (6+ years old) with no public renewal announcement found. HITRUST certifications typically require annual surveillance audits or periodic renewal; current validity status is unclear.
- The privacy policy acknowledges HIPAA and that Buoy 'may qualify as a Business Associate' under 45 C.F.R. 160.103, but stops short of an affirmative HIPAA-compliance attestation and does not publicly offer a signed Business Associate Agreement (BAA). Enterprise customers processing PHI would need to request a BAA directly.
- No SOC 2 Type 1 or Type 2 report publicly available—standard security baseline for enterprise health data vendors.
- Privacy policy explicitly excludes GDPR compliance: 'governed by U.S. law' with no mention of lawful international data transfer mechanisms (SCCs, adequacy decisions, etc.). This is a blocker for EU customer deployments.
- Terms of Service grant Buoy broad rights to use customer data: 'perpetual, irrevocable, worldwide, non-exclusive, royalty-free right to use Your Information in any manner determined solely by Buoy.' AI training implications not disclosed, and no opt-out mechanism documented.
- Privacy policy contains no disclosure or opt-out mechanism for training AI models on customer health data—a significant gap for a healthcare AI product.
- Liability capped at USD $100 in Terms of Service ('Under no circumstances will any or all Buoy Parties be liable to you for more than USD $100.00'). This is unusually restrictive for a product handling health data.
- No Data Processing Agreement (DPA) publicly available. Enterprise customers handling regulated data would typically require a signed DPA.
- Unencrypted text messaging acknowledged as user risk: 'When you choose to send PHI through unencrypted text messages, you do so at your own risk.' This puts security burden on users for a regulated product.
- Privacy policy states 'Buoy cannot guarantee that any third party will protect the privacy of your Personal Information'—insufficient contractual assurance for enterprise health data use.
- No public trust center, security documentation, or compliance audit reports available. Company relies on a single HITRUST certification from 2020 as primary trust signal.
// At a glance
Pricing model
Freemium consumer app with enterprise/B2B partnerships (Cigna, Optum, Humana investors). No public pricing tiers documented.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Buoy Health, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
buoyhealth.com