// Trust & Security Report

    Buoy Health, Inc. logo

    Buoy Health, Inc.

    AI-powered symptom checker and healthcare navigation platform. Primary product is Buoy Assistant, an AI chatbot for self-diagnosis, symptom triage, and care guidance based on user-reported symptoms.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HITRUST CSF Certified
    HELD

    Buoy is HITRUST-certified, which means we meet the highest standards for healthcare information protection. Earning this certification isn't easy, but this is about safety, and only the best will do.

    Verify on buoyhealth.com
    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type 1 or Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 certification found on vendor's website or trust resources.

    source: buoyhealth.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on vendor's website or trust resources.

    source: buoyhealth.com
    HIPAA Compliance
    NOT CONFIRMED

    HIPAA is a regulation, not a certification. The privacy policy acknowledges HIPAA and potential Business Associate status ('Buoy may qualify as a "Business Associate" (as defined by 45 C.F.R. 160.103) under the Health Insurance Portability and Accountability Act of 1996 as amended ("HIPAA")'), but no affirmative HIPAA-compliance attestation and no publicly offered Business Associate Agreement (BAA) were found on the vendor's website.

    source: buoyhealth.com
    GDPR Compliance
    NOT CONFIRMED

    Privacy policy explicitly states: 'Buoy is controlled and offered by us from the United States; accordingly, this Privacy Notice, and our collection, use and disclosure of your Personal Information, is governed by U.S. law.' No GDPR compliance mechanisms or adequacy documentation mentioned.

    source: buoyhealth.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found.

    source: buoyhealth.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance found.

    source: buoyhealth.com
    ISO 27017 / ISO 27018
    NOT CONFIRMED

    No public evidence found.

    source: buoyhealth.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found for ISO 42001 or other AI governance certifications.

    source: buoyhealth.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found.

    source: buoyhealth.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    United States only; company states service is controlled and offered from the U.S. No international data residency options or mechanisms described.

    Privacy policy contains no disclosure of AI model training on customer data or opt-out mechanisms. Terms of Service grants Buoy 'a perpetual, irrevocable, worldwide, non-exclusive, royalty-free right to use Your Information in any manner determined solely by Buoy' (excluding HIPAA-protected info). No explicit opt-out for AI training purposes documented.

    // Security controls

    Encryption in Transit

    Claimed but not specified. Policy states 'reasonable physical, technical, and administrative safeguards (such as firewalls, encryption, identity management, and intrusion prevention and detection)'.

    buoyhealth.com

    Encryption at Rest

    Not explicitly documented.

    buoyhealth.com

    Data Residency

    United States only. No details on specific cloud provider, data centers, or residency guarantees documented.

    buoyhealth.com

    Incident Response

    Security contact: security@buoyhealth.com. No public SLA or incident response policy published.

    buoyhealth.com

    Third-Party Vendor Management

    Policy notes 'Buoy cannot guarantee that any third party will protect the privacy of your Personal Information.' Shares data with unspecified third parties for support, analytics, fraud detection, and care coordination.

    buoyhealth.com

    Unencrypted Text Messaging

    Terms acknowledge: 'When you choose to send PHI through unencrypted text messages, you do so at your own risk.' This is a significant security gap for a healthcare product.

    buoyhealth.com

    // Products & data scope

    Buoy Assistant (Web & Mobile)AI Symptom Checker / Care Navigation

    data: Health history, symptoms, location, demographics, employment/health plan data, device info, IP address

    Core product: AI chatbot for symptom triage and healthcare navigation. Handles sensitive health information but no documented HIPAA compliance or BAA.

    // What to watch

    • HITRUST certification is from August 2020 (6+ years old) with no public renewal announcement found. HITRUST certifications typically require annual surveillance audits or periodic renewal; current validity status is unclear.
    • The privacy policy acknowledges HIPAA and that Buoy 'may qualify as a Business Associate' under 45 C.F.R. 160.103, but stops short of an affirmative HIPAA-compliance attestation and does not publicly offer a signed Business Associate Agreement (BAA). Enterprise customers processing PHI would need to request a BAA directly.
    • No SOC 2 Type 1 or Type 2 report publicly available—standard security baseline for enterprise health data vendors.
    • Privacy policy explicitly excludes GDPR compliance: 'governed by U.S. law' with no mention of lawful international data transfer mechanisms (SCCs, adequacy decisions, etc.). This is a blocker for EU customer deployments.
    • Terms of Service grant Buoy broad rights to use customer data: 'perpetual, irrevocable, worldwide, non-exclusive, royalty-free right to use Your Information in any manner determined solely by Buoy.' AI training implications not disclosed, and no opt-out mechanism documented.
    • Privacy policy contains no disclosure or opt-out mechanism for training AI models on customer health data—a significant gap for a healthcare AI product.
    • Liability capped at USD $100 in Terms of Service ('Under no circumstances will any or all Buoy Parties be liable to you for more than USD $100.00'). This is unusually restrictive for a product handling health data.
    • No Data Processing Agreement (DPA) publicly available. Enterprise customers handling regulated data would typically require a signed DPA.
    • Unencrypted text messaging acknowledged as user risk: 'When you choose to send PHI through unencrypted text messages, you do so at your own risk.' This puts security burden on users for a regulated product.
    • Privacy policy states 'Buoy cannot guarantee that any third party will protect the privacy of your Personal Information'—insufficient contractual assurance for enterprise health data use.
    • No public trust center, security documentation, or compliance audit reports available. Company relies on a single HITRUST certification from 2020 as primary trust signal.

    // At a glance

    Pricing model

    Freemium consumer app with enterprise/B2B partnerships (Cigna, Optum, Humana investors). No public pricing tiers documented.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Buoy Health, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    buoyhealth.com

    > Browse all vendor trust reports