Controls
Here are the controls implemented at therappai to ensure compliance, as a part of our security program.
Product security (7)
Role Based Access Controls
Access to therappai systems and data is governed by role-based access controls. Employees are granted the minimum privileges necessary to perform their duties, following the principle of least privilege. Access is regularly reviewed and revoked immediately upon role change or termination. Administrative actions are logged and monitored for suspicious activity.
Audit Logging
Therappai maintains comprehensive audit logs across critical systems, including infrastructure, application, and administrative actions. Logs capture authentication attempts, access changes, data modifications, and security events. Logs are stored securely, monitored for anomalies, and retained in line with compliance requirements.
Data Security
We apply strong encryption for data at rest (AES-256) and in transit (TLS 1.2+) across all environments. Sensitive data is stored on AWS infrastructure with built-in redundancy, regular backups, and strict access controls. Data is segregated by environment, and sensitive information is de-identified where appropriate (e.g., for AI interactions). We follow secure coding practices and regularly assess vulnerabilities.
Integrations
Therappai integrates only with trusted third-party vendors, including OpenAI, Google Workspace, and Apollo CRM. All integrations undergo security and privacy due diligence, use encrypted and authenticated data flows, and are contractually bound to data protection obligations. We limit integrations to essential services and review their security posture regularly to maintain compliance and user trust.
Service Level Agreement
Therappai is hosted on AWS to deliver a reliable, high-performance platform. We target 99.9% uptime, maintain comprehensive monitoring and incident response, and commit to clear, timely communication during disruptions. Our SLA aligns with — and often exceeds — standard SaaS expectations for mental health and enterprise-grade platforms.
Single Sign On
Therappai uses Google Workspace SSO with mandatory MFA to secure all internal systems, centralizing identity management and reducing credential risk. For enterprise customers, therappai supports SAML 2.0 and OIDC to integrate with existing IdPs like Okta or Azure AD. This ensures strong authentication, simplified access control, and SOC 2-compliant identity security across the platform.
Team Management
therappai ensures that all team members undergo security and privacy training at onboarding and annually thereafter. Access to production and sensitive environments is restricted, MFA is enforced for all accounts, roles are clearly defined, and background checks are conducted in line with local regulations. These practices help maintain a trusted, security-conscious team that supports SOC 2 and GDPR compliance.
Data security (5)
Access Monitoring
Therappai continuously monitors access to all critical systems and environments to detect and respond to unauthorized activity. Access logs are collected from AWS (via CloudTrail and GuardDuty), Google Workspace, and internal applications. These logs capture authentication events, privilege escalations, and administrative actions. Automated alerts are configured for suspicious behavior, and the Security team reviews logs regularly as part of our incident detection program.
Backups Enabled
Therappai maintains encrypted, automated, and redundant backups across AWS infrastructure, with regular integrity testing and strict access controls. Backups are stored in multiple regions, retained according to compliance requirements, and form a core part of our disaster recovery strategy.
Encryption at Rest
Therappai encrypts all sensitive data at rest using AES-256, enabled through AWS-managed encryption across S3, RDS, DynamoDB, and other services. KMS key management, strict access controls, and continuous monitoring ensure that stored data remains secure — even in the event of physical or logical compromise.
Encryption in Transit
Therappai encrypts all data in transit using TLS 1.2+, enforcing strong cipher suites and disabling insecure protocols. This applies to user connections, internal services, and third-party integrations — protecting sensitive data from interception and tampering across all communication channels.
Physical Security
therappai relies on AWS’s SOC 2 and ISO 27001–certified data centers, which use biometric access, multi-factor authentication, 24/7 surveillance, and intrusion detection for physical security. therappai does not store customer data in its offices, and all employee devices are secured with encryption, MFA, and endpoint management. These measures ensure that physical access to production infrastructure is tightly controlled and continuously monitored.
Network security (6)
Data Loss Prevention
therappai employs data loss prevention measures across cloud and network layers to detect and prevent unauthorized transmission or exposure of sensitive information. Controls include outbound traffic monitoring, encryption enforcement, and access restrictions to ensure that regulated and confidential data cannot leave authorized environments.
Firewall
All therappai network traffic is protected by AWS-managed firewalls and security groups that enforce strict allow/deny rules based on least privilege. Network segmentation isolates critical services, and ingress/egress traffic is tightly controlled. Firewall configurations are continuously monitored and reviewed for unauthorized changes.
IDS/IPS
therappai leverages AWS GuardDuty and additional monitoring tools to provide intrusion detection and prevention capabilities across infrastructure. Network traffic and system activity are analyzed in real time to identify anomalies, malicious activity, or policy violations. Alerts are sent to the Security team for immediate investigation and response.
Spoofing Protection
therappai implements multiple layers of spoofing protection to prevent DNS, IP, and email spoofing. DNS is secured through AWS Route 53 with DNSSEC enabled, IP spoofing is blocked at the VPC level, and email domains are protected using SPF, DKIM, and DMARC to authenticate legitimate senders and prevent phishing.
Virtual Private Cloud
All therappai infrastructure is deployed within a secure AWS Virtual Private Cloud (VPC). Network segmentation, private subnets, and routing controls are used to isolate services and limit exposure. VPC flow logs are enabled for visibility, and peering/VPN connections are secured to protect traffic between environments.
Wireless Security
Wireless access to therappai corporate environments is restricted and secured using WPA2/WPA3 encryption, strong authentication, and network segmentation. Guest and internal networks are separated to prevent lateral movement, and employee devices must comply with endpoint security policies, including MFA and encryption.
App security (6)
Bug Bounty
therappai is committed to continuous security improvement and engages trusted security researchers through a private mobile application bug bounty program. Responsible disclosures are triaged and resolved quickly to strengthen the security of our iOS and Android apps.
Code Analysis
therappai integrates automated static and dynamic analysis tools into the mobile development lifecycle to detect security flaws early. We scan for common mobile vulnerabilities, insecure libraries, leaked secrets, and misconfigurations in both iOS and Android builds prior to release.
Software Development Life Cycle
Security is embedded throughout therappai’s mobile SDLC, from feature design to App Store release. We apply secure coding practices, threat modeling for new features, peer code reviews, dependency scanning, and pre-release penetration testing to ensure a secure user experience across platforms.
Credential Management
All application secrets, tokens, and keys are securely stored using AWS Secrets Manager and platform-specific secure storage mechanisms (e.g., iOS Keychain, Android Keystore). Credentials are never hardcoded, rotated regularly, and access is restricted by role and monitored continuously.
Vulnerability & Patch Management
therappai continuously monitors dependencies, SDKs, and mobile app components for vulnerabilities. Identified issues are prioritized and patched rapidly, with updates released via the App Store and Play Store as part of our structured patch management program.
Mobile Application Protection
therappai employs multiple layers of protection for its mobile apps, including certificate pinning, encrypted API communication, secure session handling, and runtime checks against tampering or reverse engineering. Backend APIs are protected behind AWS firewalls and strict authentication, ensuring end-to-end security from device to server.
Endpoint security (5)
Disk Encryption
All therappai laptops and mobile devices are secured with full-disk encryption (e.g., FileVault for macOS, BitLocker for Windows, and native encryption for iOS/Android). This ensures sensitive data remains protected in the event of device loss or theft.
Mobile Device Management
All employee and contractor devices accessing therappai systems are enrolled in MDM to enforce security policies such as encryption, MFA, passcodes, OS compliance, and remote wipe. Non-compliant devices are automatically blocked from accessing corporate resources.
DNS Filtering
therappai uses DNS filtering to block access to known malicious, phishing, and command-and-control domains across all managed endpoints. This adds an extra layer of network protection against malware and data exfiltration.
Threat Detection
therappai employs built-in OS security features and lightweight endpoint monitoring to detect malicious activity, including unauthorized processes and suspicious network connections. Alerts are investigated promptly by the security team.
Endpoint Detection and Response
therappai is implementing EDR capabilities to provide continuous visibility into endpoint behavior, enabling rapid detection and response to threats such as malware, lateral movement, or credential theft.
Corporate security (6)
Email Protection
therappai protects corporate email using Google Workspace’s advanced security controls, including phishing and malware scanning, spam filtering, link protection, and attachment sandboxing. All employee accounts are secured with enforced MFA, and DMARC, SPF, and DKIM are enabled to prevent spoofing and unauthorized use of the therappai domain.
Employee Training
ll employees undergo security and privacy training during onboarding and annually thereafter. Training covers phishing awareness, secure handling of sensitive data, incident reporting, mobile security, and adherence to SOC 2–aligned security policies. Role-specific security training is provided for developers, administrators, and leadership.
Incident Response
therappai maintains a documented incident response plan that outlines roles, responsibilities, escalation paths, and communication protocols. Security incidents are triaged, contained, and remediated rapidly, with post-incident reviews conducted to strengthen defenses. The plan is reviewed and tested at least annually.
Internal Assessments
therappai conducts regular internal security assessments, including policy reviews, access audits, vulnerability scans, and control effectiveness evaluations. Findings are tracked, prioritized, and remediated through a structured process to continuously improve the security program.
Mobile Device Management
All employee mobile devices accessing corporate data are enrolled in a Mobile Device Management (MDM) solution, enforcing device encryption, MFA, passcode policies, and remote wipe capabilities. Corporate and personal data are segmented, and compromised or non-compliant devices are automatically blocked.
Single Sign On
therappai uses Google Workspace Single Sign-On (SSO) to provide secure, centralized access to corporate tools and systems. SSO is combined with MFA to reduce credential sprawl, simplify access management, and enable rapid revocation if needed.
