Wellframe Privacy & Security
We keep your personal information private, safe, and secure
As we help patients and their care management teams build sustained, engaged relationships, Wellframe is committed to keeping their information private and protected. We bake privacy and security into the design of our product.
The Wellframe platform uses firewalls to restrict and control traffic on its networks. Only necessary communication takes place, the rest is blocked.
Intrusion Detection / Intrusion Prevention (IDS/IPS)
IDS/IPS is in place to monitor for threatening behavior and reject suspicious traffic.
Web Application Firewall (WAF)
Application inspection is in place that examines all traffic (in and out) in the environment. This system prevents common OWASP and CVE vulnerabilities and follows the CERT framework.
The Wellframe platform uses scalable and fault tolerant container technology, currently hosted with Google Cloud Platform. For more information, please see https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview
Platform monitoring and alerting
Wellframe has deployed a suite of tools within our production environment to monitor for unusual activity and alert our team when discovered.
Secure cloud configuration
Tools are in place to continually examine our cloud configuration settings to ensure that our infrastructure is correctly and securely configured.
Office access is controlled by a badge access system with 24/7 video surveillance. Visitors must sign in and be escorted.
Data center security
Our environment is hosted in data centers using state-of-the art controls managed by Google. You can find out more by going to here https://cloud.google.com/security/infrastructure/design/#security_of_physical_premises.
Single sign on
Our web application supports SAML 2.0.
Multi factor authentication
Our web application supports MFA for customers and all Wellframe users must use MFA.
Password and timeout requirements
Password complexity and user timeout can be customized to meet your specific requirements.
IP inclusion list
Our web application can be limited to only traffic coming from IP addresses you provide.
Data encryption at rest
Storage is encrypted to a strength of AES-256.
This pertains not only to the customer database, but also data backups. In addition, our container-based infrastructure leverages a container-optimized operating system root filesystem. This mounts the underlying file system as read-only and prevents an attacker from owning the system. More information on COS can be found here: https://cloud.google.com/container-optimized-os/docs/concepts/security
Data encryption in transit
All communication channels to our production environment are TLS encrypted to a strength of AES-256.
Care Managers access the system using a current Internet browser over a TLS encrypted communication channel.
Mobile Users access the system using our custom smartphone app, also over TLS encrypted communication channel.
Our development practices include QA and build in privacy and security considerations.
Our SDLC follows best practices and ensures that releases are adequately tested and approved prior to release.
Change management processes are in place so that only specific staff may promote changes to Production after approvals have been provided. Criteria for approval requires the description and nature of the change, peer review, and rollback plan.
Secure coding practices
Our developers receive secure coding training upon hire and annually thereafter. This training contains best practices on how to securely develop software.
Wellframe will sign a business associate agreement with customers who are covered entities.
With built in functionality Wellframe’s application is ready for GDPR compliant deployments.
Wellframe’s current SOC 2 report is available to current and prospective customers under a confidentiality agreement.
Annually, Wellframe engages a third party to conduct penetration testing of its application and environment.
Wellframe internally assesses its product and practices against compliance needs and that best practices are being followed.
All security programs are only as good as their weakest link, which can often be a third party. Wellframe is no different and we employ a rigorous policy to ensure that vendors meet our standards before doing business with them.
Vendors dealing with user data must sign the contractual documents to ensure they are protecting the security and confidentiality of user data.
All employees must undergo background checks that include criminal history.
Employees complete privacy and security awareness training. Wellframe conducts periodic phishing simulation tests to evaluate employee response to an actual phishing attack.
An incident response team is in place to respond to events as they occur. Events are triaged according to the policy as well as tracked and reported. A cross-functional team is assembled annually to test event scenarios. Issues that arise are resolved and incorporated into the post mortem report.
If you have a privacy or security concern, please contact: firstname.lastname@example.org
Disaster Recovery and Business Continuity
Wellframe has developed business continuity and disaster recovery policies and procedures to appropriately guide the incident response team through an interrupting event. This policy is tested and updated annually to ensure it is relevant in meeting recovery point and recovery time objectives.