// Trust & Security Report
Touchkin eServices Private Limited / WYSA LTD
AI-powered mental health and wellbeing platform offering conversational AI support, self-care tools, and guided care pathways for individuals, employers, healthcare providers, and health systems. Core products: Wysa (freemium personal app), Wysa for Employers/Teams (employee wellbeing), Wysa for Healthcare (integrated care), Wysa Copilot (hybrid digital-human therapy), Kins (mental-physical health integration), Wysa Assure (HIPAA-compliant sessions).
Certifications held
8
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on legal.wysa.io“Wysa states it 'comply[ies] and certify[ies] to global Information security and privacy standards; namely, ISO 27001 and ISO 27701'”
Verify on legal.wysa.io“3rd party audited Information Security Management System (ISMS) and Privacy Information Management System (PIMS) certified for ISO 27001:2022 and ISO 27701:2019”
Verify on wysa.com“Wysa was the first AI mental health app to meet NHS UK's DCB 0129 Standard of Clinical Safety. Wysa is compliant to DCB 0129 Clinical Risk Management Standard”
Verify on wysa.com“Wysa meets standards of NHS Digital Data Security and Protection (DSP) Toolkit”
Verify on legal.wysa.io“Wysa acknowledges operating under data protection frameworks with Data Protection Officer, breach notification within 72 hours, and user rights including data access, correction, deletion, and portability”
Verify on mozillafoundation.org“Wysa has been awarded the Best in Privacy by Mozilla Foundations for two consecutive years - 2022 and 2023”
> Show 7 unconfirmed / not-held certifications
No public evidence of SOC 2 certification found despite multiple searches of vendor domain and trust documentation
No public evidence of SOC 2 certification found despite multiple searches of vendor domain and trust documentation
source: legal.wysa.ioPrivacy policy states servers are 'GDPR and HIPAA compliant' but this refers to AWS hosting compliance, not WYSA's own HIPAA certification or BAA eligibility. No evidence of WYSA being a HIPAA-certified covered entity or BAA signatory
No public evidence of FedRAMP certification
No public evidence of PCI DSS certification
No public evidence of ISO 27017 certification
No public evidence of ISO 27018 certification
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
AWS infrastructure (specific regions not publicly disclosed)
Wysa explicitly states conversation data is 'never stored at the LLM' and is 'not used as training data by the LLM'. However, Wysa does use anonymized conversation data to improve Wysa's own AI models. The company states it 'occasionally uses some anonymized messages to train Wysa's AI to help improve its ability to have conversations'. Personally identifiable information is redacted irreversibly within 24 hours if inadvertently submitted. All LLM-based prompts are designed and tested by clinicians.
// Security controls
Encryption in Transit
Industry-standard TLS encryption protocols for data transmission from mobile devices to servers
legal.wysa.ioData Processing
Acts as both Processor and Sub-processor; maintains detailed service provider transparency documentation; deletes data when no longer needed per institutional agreements
legal.wysa.ioInfrastructure
Hosted on Amazon Web Services (AWS) with multi-region operations across India, UK, and USA
legal.wysa.ioGovernance
Chief Information Security Officer (CISO) and Clinical Safety Officer enforce security governance
legal.wysa.ioClinical Safety
AI never makes decisions independently; provides explainable, defensible support within clinical workflows; safety features detect urgent needs and escalate when appropriate
wysa.comData Handling
Uses masked identifiers; removes personal details from conversation records; maintains separate privacy policies for research and institutional use
legal.wysa.io// Products & data scope
data: Conversation data, health/wellbeing questionnaire responses, safety plan data
Freemium model ($74.99/year premium). No professional services engagement. Data may be anonymized for AI improvement.
data: Employee usage data, aggregated analytics, co-branded content delivery
$50 per employee per year. DPA typically established with employer. Analytics dashboard provided.
data: Patient conversation data, clinical outcome data, referral workflows
Integrated with care pathways; complies with NHS DSP and DCB 0129; BAA required for HIPAA-compliant sessions (Wysa Assure product)
data: Patient-therapist collaboration data, clinical notes, session records
Hybrid digital and human therapy platform; supports therapist-patient workflows
data: HIPAA-regulated patient data with end-to-end encryption
End-to-end encryption; adequate safeguards for privacy and security; requires BAA with healthcare organizations
data: Physical therapy patient data, mental health integration data
Licensed clinicians deliver PT; Wysa's AI bridges physical and mental health
data: Limited to phygital (physical + digital) intervention data
Combines physical workbooks with digital tools for adolescent girls in rural India; co-designed with local partners
// What to watch
- HIPAA compliance claim is ambiguous: Marketing materials claim 'HIPAA compliance' and 'HIPAA-compliant servers', but evidence shows Wysa uses AWS infrastructure that is HIPAA-compliant, not that Wysa itself holds HIPAA certification or is a BAA signatory. The Wysa Assure product provides end-to-end encryption for HIPAA-regulated sessions, but healthcare organizations would still need their own BAA. This is not an over-claim but should be clarified for procurement.
- No public SOC 2 certification despite ISO 27001/27701 certifications. Enterprise customers may require SOC 2 attestation; contact Wysa directly for availability.
- Data residency specifics not publicly disclosed. AWS regions hosting user data not specified on public trust/privacy documentation.
- Anonymized data usage for AI training: While Wysa does NOT use LLM training on customer data, it does use anonymized messages to improve its own AI models. Organizations with strict data governance may want to opt-out or understand scope.
- Multiple legal entities (Touchkin India, WYSA UK, Boston US) across three jurisdictions may complicate data processing agreements and liability.
- No FedRAMP, PCI DSS, ISO 27017, or ISO 27018 certifications found. These may be required for specific regulated use cases.
// At a glance
Pricing model
Freemium (individuals: $74.99/year premium); Subscription per user (employers: $50/employee/year); Custom enterprise pricing for healthcare and large deployments
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Touchkin eServices Private Limited / WYSA LTD's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
legal.wysa.io