Skip to content
Wilma AI
Back to home
Security & compliance

Built for healthcare from the first line of code.

Patient privacy isn't a feature in a sales deck. It's the foundation of how Wilma is designed, deployed, and reviewed — under SOC 2 Type II controls and a signed BAA for every customer.

Last updated

Looking for a SOC 2 report, pentest summary, or HIPAA Security Rule assessment? Email email our security team with your NDA — turnaround is usually one business day.

Our security philosophy

Wilma sits between the front desk and the patient. We see everything a receptionist sees — sometimes more. We design as if we'll be the entry point in a breach scenario, because we might be. Defense in depth, least privilege, and assume-breach are the defaults, not the goals.

Eight pillars

Encryption

TLS 1.3 in transit, AES-256 at rest. Keys are rotated quarterly and managed in AWS KMS with strict role-based access.

Access controls

Least-privilege by default. Every production action requires SSO + hardware-key MFA and is logged. Quarterly access reviews.

Infrastructure

U.S.-only AWS regions (us-east-1 / us-west-2), private VPC, segmented subnets, WAF in front of all public endpoints.

Audit logs

Every call, transcript, and PMS write is captured with an immutable timeline you can export at any time.

Vulnerability management

Dependency scanning, weekly internal penetration testing, annual third-party pentest. Public bounty in private beta.

Monitoring & response

24×7 alerting on auth anomalies, error rates, and data-access patterns. On-call engineer paged within 5 minutes.

People

Background checks for every hire. Quarterly security training. Confidentiality and acceptable-use agreements signed at onboarding.

Resilience

Daily encrypted backups with quarterly restore drills. Multi-AZ Postgres. RPO 15 min, RTO 2 hr.

Certifications & frameworks

  • SOC 2 Type II. Annual audit covering security, availability, and confidentiality trust services criteria.
  • HIPAA Security Rule. Full administrative, technical, and physical safeguards. BAA on every customer. See the HIPAA page.
  • TCPA. Outbound messaging guardrails baked into the platform — quiet hours, consent gating, opt-out handling.
  • PCI DSS. Card data is tokenized through Stripe; we never store primary account numbers ourselves.
  • GDPR / CPRA. See our DPA and Privacy Policy for data-subject rights and processor obligations.

Reporting a vulnerability

If you believe you've found a security issue, please email email our security teamwith reproduction steps. We'll acknowledge within one business day and keep you updated through remediation. Please test only against accounts you own, avoid PHI, and give us reasonable time to fix before public disclosure.

Incident response

Wilma maintains a documented incident-response plan, exercised twice a year. In the event of an incident affecting customer data, we'll notify the affected practice without undue delay and in any event within 72 hours, in line with the BAA and our DPA.

Sub-processor security

Every vendor that touches customer data is reviewed for SOC 2 (or equivalent), encryption, breach-notification timelines, and BAA coverage where PHI is in scope. See the Subprocessors page for the current list.

Get in touch

Security team: email us · PGP key available on request.