Security & Trust
How TenorMD protects your organization’s data. For a full security packet (SOC 2 status, BAA, and completed questionnaire), email [email protected].
One company, one program
TenorMD is a Willowcare LLC product and runs under Willowcare’s company-wide information-security program — the same policy suite, risk management, and Security & Privacy Officer behind Willowbridge. SOC 2 is in progress (not yet certified); the examination scope covers both products. Read the company-wide posture at willowcare.co/trust.
Architecture & data protection
- Encryption in transit — TLS everywhere, HSTS enforced.
- Anonymity by design — reviewer responses are never linked to the invitation, and reports unlock only in aggregate once a minimum number of responses is reached.
- Tenant isolation — every organization’s data is logically separated and access-scoped.
- Strict Content-Security-Policy, nonce-based scripts, X-Frame-Options, nosniff, and Referrer-Policy on every page.
- WAF & DDoS protection at the edge.
- Card data is out of scope — payments are handled by Stripe (PCI DSS Level 1).
Access & account security
- Mandatory MFA (TOTP) for every administrator.
- SSO (SAML / OIDC) with optional SSO-required enforcement and SCIM provisioning/deprovisioning.
- Role-based access control (owner / admin / viewer) and least-privilege scoping.
- Brute-force lockout, breached-password screening, and new-device sign-in alerts.
- 10-minute idle timeout (configurable per organization) with cache clearing on sign-out.
- Tamper-evident, exportable audit log of sensitive actions.
- Customer-controlled policy — IP allowlisting, SSO enforcement, and idle timeout per organization.
Data ownership & lifecycle
- You own your data. Owners can export their organization’s data and permanently delete the organization at any time.
- No PHI by design — the service is built for non-PHI provider feedback; a BAA is available on request.
- US-based hosting; encrypted backups.
Subprocessors
| Provider | Purpose |
|---|---|
| Render | Application hosting |
| Cloudflare | DNS, WAF, DDoS protection |
| Stripe | Subscription billing & payments |
| Postmark | Transactional email |
| Twilio | SMS invitations (optional) |
| WorkOS | SSO / SCIM (when enabled) |
Reporting a vulnerability
We welcome responsible disclosure. Email [email protected] with details and steps to reproduce. Please give us a reasonable window to investigate and remediate before public disclosure; we won’t pursue good-faith research. See our security.txt.