// Trust & Security Report

    Touchkin eServices Private Limited / WYSA LTD logo

    Touchkin eServices Private Limited / WYSA LTD

    AI-powered mental health and wellbeing platform offering conversational AI support, self-care tools, and guided care pathways for individuals, employers, healthcare providers, and health systems. Core products: Wysa (freemium personal app), Wysa for Employers/Teams (employee wellbeing), Wysa for Healthcare (integrated care), Wysa Copilot (hybrid digital-human therapy), Kins (mental-physical health integration), Wysa Assure (HIPAA-compliant sessions).

    Certifications held

    8

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    Wysa states it 'comply[ies] and certify[ies] to global Information security and privacy standards; namely, ISO 27001 and ISO 27701'

    Verify on legal.wysa.io
    ISO 27701:2019
    HELD

    3rd party audited Information Security Management System (ISMS) and Privacy Information Management System (PIMS) certified for ISO 27001:2022 and ISO 27701:2019

    Verify on legal.wysa.io
    Cyber Essentials
    HELD

    Wysa is Cyber Essentials certified

    Verify on wysa.com
    DCB 0129 Clinical Risk Management Standard
    HELD

    Wysa was the first AI mental health app to meet NHS UK's DCB 0129 Standard of Clinical Safety. Wysa is compliant to DCB 0129 Clinical Risk Management Standard

    Verify on wysa.com
    NHS Digital Data Security and Protection (DSP) Toolkit
    HELD

    Wysa meets standards of NHS Digital Data Security and Protection (DSP) Toolkit

    Verify on wysa.com
    GDPR Compliance (organization-level)
    HELD

    Wysa acknowledges operating under data protection frameworks with Data Protection Officer, breach notification within 72 hours, and user rights including data access, correction, deletion, and portability

    Verify on legal.wysa.io
    ORCHA Approval
    HELD

    Wysa is a top ORCHA-approved app

    Verify on blogs.wysa.io
    Mozilla Foundation Best in Privacy Award
    HELD

    Wysa has been awarded the Best in Privacy by Mozilla Foundations for two consecutive years - 2022 and 2023

    Verify on mozillafoundation.org
    > Show 7 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence of SOC 2 certification found despite multiple searches of vendor domain and trust documentation

    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 certification found despite multiple searches of vendor domain and trust documentation

    HIPAA
    NOT CONFIRMED

    Privacy policy states servers are 'GDPR and HIPAA compliant' but this refers to AWS hosting compliance, not WYSA's own HIPAA certification or BAA eligibility. No evidence of WYSA being a HIPAA-certified covered entity or BAA signatory

    source: legal.wysa.io
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification

    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification

    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification

    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS infrastructure (specific regions not publicly disclosed)

    Wysa explicitly states conversation data is 'never stored at the LLM' and is 'not used as training data by the LLM'. However, Wysa does use anonymized conversation data to improve Wysa's own AI models. The company states it 'occasionally uses some anonymized messages to train Wysa's AI to help improve its ability to have conversations'. Personally identifiable information is redacted irreversibly within 24 hours if inadvertently submitted. All LLM-based prompts are designed and tested by clinicians.

    // Security controls

    Encryption in Transit

    Industry-standard TLS encryption protocols for data transmission from mobile devices to servers

    legal.wysa.io

    Encryption at Rest

    AES-256 encryption protocols for data stored within storage servers

    legal.wysa.io

    Data Processing

    Acts as both Processor and Sub-processor; maintains detailed service provider transparency documentation; deletes data when no longer needed per institutional agreements

    legal.wysa.io

    Infrastructure

    Hosted on Amazon Web Services (AWS) with multi-region operations across India, UK, and USA

    legal.wysa.io

    Access Controls

    Strong passwords and additional access codes required for data access

    legal.wysa.io

    Governance

    Chief Information Security Officer (CISO) and Clinical Safety Officer enforce security governance

    legal.wysa.io

    Clinical Safety

    AI never makes decisions independently; provides explainable, defensible support within clinical workflows; safety features detect urgent needs and escalate when appropriate

    wysa.com

    Data Handling

    Uses masked identifiers; removes personal details from conversation records; maintains separate privacy policies for research and institutional use

    legal.wysa.io

    // Products & data scope

    Wysa for IndividualsConsumer / B2C

    data: Conversation data, health/wellbeing questionnaire responses, safety plan data

    Freemium model ($74.99/year premium). No professional services engagement. Data may be anonymized for AI improvement.

    Wysa for Employers/TeamsB2B Employee Wellbeing

    data: Employee usage data, aggregated analytics, co-branded content delivery

    $50 per employee per year. DPA typically established with employer. Analytics dashboard provided.

    Wysa for Healthcare ProvidersB2B Healthcare

    data: Patient conversation data, clinical outcome data, referral workflows

    Integrated with care pathways; complies with NHS DSP and DCB 0129; BAA required for HIPAA-compliant sessions (Wysa Assure product)

    Wysa CopilotB2B Hybrid Care

    data: Patient-therapist collaboration data, clinical notes, session records

    Hybrid digital and human therapy platform; supports therapist-patient workflows

    Wysa Assure (HIPAA-Compliant Sessions)B2B Healthcare / Regulated

    data: HIPAA-regulated patient data with end-to-end encryption

    End-to-end encryption; adequate safeguards for privacy and security; requires BAA with healthcare organizations

    Kins (Physical Therapy Integration)B2B Healthcare

    data: Physical therapy patient data, mental health integration data

    Licensed clinicians deliver PT; Wysa's AI bridges physical and mental health

    Dreamkit (Rural Mental Health)B2B / Non-profit / Impact

    data: Limited to phygital (physical + digital) intervention data

    Combines physical workbooks with digital tools for adolescent girls in rural India; co-designed with local partners

    // What to watch

    • HIPAA compliance claim is ambiguous: Marketing materials claim 'HIPAA compliance' and 'HIPAA-compliant servers', but evidence shows Wysa uses AWS infrastructure that is HIPAA-compliant, not that Wysa itself holds HIPAA certification or is a BAA signatory. The Wysa Assure product provides end-to-end encryption for HIPAA-regulated sessions, but healthcare organizations would still need their own BAA. This is not an over-claim but should be clarified for procurement.
    • No public SOC 2 certification despite ISO 27001/27701 certifications. Enterprise customers may require SOC 2 attestation; contact Wysa directly for availability.
    • Data residency specifics not publicly disclosed. AWS regions hosting user data not specified on public trust/privacy documentation.
    • Anonymized data usage for AI training: While Wysa does NOT use LLM training on customer data, it does use anonymized messages to improve its own AI models. Organizations with strict data governance may want to opt-out or understand scope.
    • Multiple legal entities (Touchkin India, WYSA UK, Boston US) across three jurisdictions may complicate data processing agreements and liability.
    • No FedRAMP, PCI DSS, ISO 27017, or ISO 27018 certifications found. These may be required for specific regulated use cases.

    // At a glance

    Pricing model

    Freemium (individuals: $74.99/year premium); Subscription per user (employers: $50/employee/year); Custom enterprise pricing for healthcare and large deployments

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Touchkin eServices Private Limited / WYSA LTD's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    legal.wysa.io

    > Browse all vendor trust reports