Blended Psychotherapy system

About the project

ylah® is a Swiss digital health company founded in 2022 and based in Bern. Their team of therapists, researchers, and engineers is developing a blended psychotherapy system that enhances traditional therapy with digital support.

The platform bridges in-person therapy with evidence-based digital tools to support patients dealing with depression with anxiety and addiction support/care coming soon. It also offers interactive therapy exercises that support behavioural health between sessions.

We joined the initiative in December 2022 to deliver a compliant, secure, and scalable system – transforming an ambitious research idea into a certified digital health product.

What did our client need?

ylah® approached us with early-stage designs, academic research, and a clear vision. However, they needed support in shaping a full development and regulatory compliance roadmap.

Their challenge: to build a system integrating mobile and web tools for therapists, patients, and administrators – all compliant with Medical Device Regulation (MDR).

How did we approach it?

Our initial audit revealed missing regulatory alignment, limited backend architecture, and a need for development planning. We guided ylah® through a structured product discovery process and proposed a roadmap that combined SaMD-grade software architecture with an agile delivery strategy.

Phase 1 – Discovery & Audit: We started by auditing existing regulatory and architectural approaches.

Phase 2 – Product Design & Technical Planning: We reviewed the provided designs and initial requirements, then defined the technical architecture, access policies, and backend structure to support their implementation.

Phase 3 – System Implementation: Delivered three apps: a patient mobile app (PAT-APP), a web app for therapists (MHP-WEB), and a content platform for YLAH internal team.

Phase 4 – MDR & ISO Compliance: Introduced full documentation of software development under ISO 13485, aligned with IEC 62304, ISO 14971, and other relevant standards. This phase focused on finalising and handing over documentation that had been developed and maintained throughout all earlier stages of the project.

Phase 5 – Launch & Scale: Released the first version mid-2023, and continued with feature releases and post-market support.

All development was managed through JIRA and Confluence, with regular Slack and video meetings. Our multidisciplinary team ensured the system met both clinical and regulatory needs.

Technology and cybersecurity in mental health software

Security, data privacy, and scalability were critical requirements for Ylah from day one. We implemented a layered architecture that separates sensitive data, ensures high availability, and meets regulatory expectations.

• Data separation. Personal Identifiable Information (PII) and therapy data are stored in separate databases within isolated trust zones. This limits risk in case of a breach and simplifies consent withdrawal.

• Encryption and authentication. All data in transit is protected using TLS 1.2/1.3, and stored data is encrypted at rest. Keycloak handles user authentication via OpenID Connect.

• Access control and authorisation. Role-Based Access Control (RBAC) is implemented across all roles. Direct access to sensitive data is limited by IP whitelisting and private subnets. Services must authenticate through an internal identity provider.

• Vulnerability and threat management. Code and third-party dependencies are scanned regularly. We apply OWASP guidelines, run SAST/DAST tests, and monitor packages and containers for known vulnerabilities.

• Compliance-driven architecture. Activity logs, GDPR consent tracking, and encrypted backups support regulatory needs. Architecture aligns with ISO 27001, MDR, and GDPR principles.

This technical foundation ensures that ylah®'s platform is not only medically robust, but also designed to withstand the most demanding information security and privacy requirements in mental health care.

Ensuring compliance with regulatory requirements

From the outset, the system was developed as a Software as a Medical Device (SaMD) in accordance with MDR and related standards requirements. We supported Ylah in setting up software development process and documentation that meet both regulatory and technical standards.

• Legal requirements and standards followed. The software development processes and related documentation have been aligned with IEC 62304 (software life cycle), ISO 14971 (risk management), IEC 62366 (usability engineering) and IEC 82304 (health software). All activities were prepared in accordance with QMS implemented at both companies, based on ISO 13485.

• Documentation & traceability. We established full software development traceability to track and document the relationships between different elements of a software project – from user needs and software requirements through risk control to testing process. We also managed the traceability of software documentation to track changes and smooth implementation into medical device technical documentation.

• Risk management. Hazards and mitigations were identified and documented from early design stages. Clinical risks, data integrity, and software behaviour in edge cases were analysed regularly and appropriate risk control measures were implemented to ensure safety of medical device.

• Post-market readiness. The system includes processes for software change management, nonconformities handling, and user feedback loops as part of requested post-market surveillance activities. Implemented consent management and audit trails support GDPR and MDR requirements.

• Support for submission. We helped prepare the technical documentation related to software development and internal guidelines – enabling a smoother path to certification and clinical use.

What did we deliver?

• Patient Mobile App

• Therapist Web App

• Content Management Web App

• Security, documentation, and release processes aligned with MDR

• Ongoing product development and post-release support

• Cloud Infrastructure with IaC (Infrastructure as Code) management approach

The system connects therapists, patients, and administrators through secure, role-specific applications. Every layer – from journaling and therapy content to authentication – is designed for clinical safety, data protection, and user engagement across a mental health software environment.