// Trust & Security Report
Woebot Labs, Inc. (d/b/a Woebot Health)
AI-driven mental health / digital therapeutics platform, sold primarily B2B2C to employers and health plans, built on a proprietary conversational AI ('Woebot') delivered as a mobile/chat app; consumer access is currently gated behind an interest list rather than open self-signup.
Certifications held
4
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on woebothealth.com“Woebot Health obtained a SOC 2 Type 2 examination through AICPA, demonstrating appropriate controls in place for security, availability, confidentiality, and HIPAA adherence.”
Verify on woebothealth.com“All user data is treated as if it is protected under multiple global regulations, including HIPAA, whether it is legally classified as that or not. / Adheres to hospital-level security policies and procedures to protect sensitive user data, adhering to the HIPAA rules, including the Privacy and Security Rules.”
Verify on woebothealth.com“Procedures adhere to the standards required by GDPR and HIPAA; one of the safeguards we may use to support international transfer is the EU Standard Contractual Clauses.”
Verify on woebothealth.com“Woebot Health obtained certification under this framework, considered the most stringent framework for assessing privacy and security in digital health technologies, developed by ORCHA. ORCHA does not follow the Federal Food, Drug, and Cosmetic Act and therefore ORCHA certification does not denote clearance or approval by the U.S. Food and Drug Administration (FDA).”
> Show 5 unconfirmed / not-held certifications
source: woebothealth.comNo public evidence of ISO 27001 certification found on the vendor's security, achievements, or privacy pages, and no independent trust center listing it.
source: woebothealth.comNo public evidence of PCI DSS certification; not applicable as observed (no direct card-payment handling described on the security page).
source: woebothealth.comNo public evidence of ISO 42001 certification on any vendor-domain page.
source: woebothealth.comNo public evidence of CSA STAR registration or certification on any vendor-domain page.
source: woebothealth.comNo public evidence of FedRAMP authorization; not applicable to this consumer/enterprise digital health product as observed.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States (AWS and Google Cloud Platform, hosted in the US); EEA/Swiss/UK personal data transfers relies on EU Standard Contractual Clauses per the privacy policy.
Vendor states: 'We periodically review de-identified portions of conversations and compare the AI-suggested path to the path chosen by the user. When these paths diverge, we retrain our algorithms using the additional de-identified data.' Data used for retraining is described as de-identified, but no explicit user-facing opt-out toggle for this practice was found on the privacy policy or 'Our Approach to Privacy' page. As of July 31, 2025 the vendor states all account data is anonymized going forward. No separate/downloadable Data Processing Agreement (DPA) was found on the public site (enterprise customers likely negotiate this directly, but it is not published).
// Security controls
Hosting
Data hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), located in the United States. Note: this is the cloud host's own SOC2/ISO posture, distinct from Woebot Health's own SOC 2 Type II examination cited above.
woebothealth.comAccess control
Personal data secured in a dedicated environment with strict controls around who and what can access it; employees access personal data only if required for their job duties; multi-factor authentication and deny-all/allow-by-exception network controls.
woebothealth.comThird-party assessment
Undergoes independent third-party assessments to test security and compliance controls, including independent third-party penetration testing at least annually.
woebothealth.comClinical/AI safety oversight
A Safety Assessment Committee of clinical, regulatory, and medical experts reviews data from clinical trials and post-market use; research is reviewed by an institutional review board (IRB).
woebothealth.com// Products & data scope
data: Conversational/chat data with the AI, treated as PHI-equivalent regardless of legal classification; sold to employers, health plans, and payers.
This is the vendor's primary current go-to-market; the homepage frames the company around this B2B channel.
data: Same conversational data as above.
As of the captured homepage, consumer access is gated behind a 'Join Interest List' call-to-action rather than open self-signup, suggesting the direct consumer product is limited or paused in favor of the enterprise channel.
// What to watch
- No dedicated trust center (no SafeBase/Vanta/Drata-style portal or downloadable SOC 2 report link); SOC 2 Type II claim is asserted only in vendor marketing copy on the Achievements page, not backed by a viewable report or third-party registry link.
- AI training on de-identified user conversation data has no visible user-facing opt-out; flag for privacy-sensitive mental-health use case.
- ORCHA/DHAF certification is a UK digital-health assessment framework, not an FDA clearance; the vendor itself discloses this distinction on its Achievements page, which is good practice, but AIFOXX listing copy must not conflate ORCHA certification with FDA approval or a security certification like SOC 2/ISO.
- No ISO 27001 or ISO 42001 (AI management system) evidence; do not list these as held.
- 'HIPAA' and 'GDPR' are compliance postures/legal frameworks self-asserted by the vendor, not third-party-audited certifications like SOC 2 — list them as posture statements, not certs, in UI copy.
- No published Data Processing Agreement (DPA) link found on the public site despite selling into health plans/employers who would typically require one; likely provided under enterprise contract but not publicly verifiable.
// At a glance
Pricing model
B2B / enterprise-negotiated (sold to employers and health plans); no public self-serve pricing found.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Woebot Labs, Inc. (d/b/a Woebot Health)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
woebothealth.com