Privacy & Security

As we help patients and their care management teams build sustained, engaged relationships, Wellframe is committed to keeping their information private and protected. We bake privacy and security into the design of our product.

Compliance

Wellframe is committed to complying with the applicable laws and frameworks when handling patient data. Our product started with HIPAA as the primary driving force but has expanded to accommodate the requirements of Canada’s PIPEDA, the GDPR, and Privacy Shield.

Application Security

Our application comes with features to ensure you meet your security needs. We offer single sign on (SSO), strong password requirements, and multi-factor authentication. We are constantly working to enhance our security features to make sure that you have everything you need to securely help your patients.

Environmental Security

We understand that privacy, security, and availability are important to our customers. To accomplish this, Wellframe uses Google Cloud Platform (GCP) as its primary cloud service provider. Through GCP, Wellframe is able to provide its product on a secure, resilient, and high performing infrastructure. Ultimately, Wellframe is responsible for our environment within GCP. Through best practices recommended by GCP and through our own configurations, we believe we have built a solution that will meet your privacy and security standards.

Network and platform security

Wellframe augments the security features provided by its hosting provider to provide best practice security for its environment.

Firewall
The Wellframe platform uses firewalls to restrict and control traffic on its networks. Only necessary communication takes place, the rest is blocked.

Intrusion Detection / Intrusion Prevention (IDS/IPS)
IDS/IPS is in place to monitor for threatening behavior and reject suspicious traffic.

Web Application Firewall (WAF)
Application inspection is in place that examines all traffic (in and out) in the environment. This system prevents common OWASP and CVE vulnerabilities and follows the CERT framework.

Fault tolerance
The Wellframe platform uses scalable and fault tolerant container technology, currently hosted with Google Cloud Platform. For more information, please see https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview

Platform monitoring and alerting
Wellframe has deployed a suite of tools within our production environment to monitor for unusual activity and alert our team when discovered.

Secure cloud configuration
Tools are in place to continually examine our cloud configuration settings to ensure that our infrastructure is correctly and securely configured.

Physical security

Our security practices extend to both where our environment is physically hosted and where we work.

Application security features

To help our customers meet their security needs, we offer an array of features to protect their accounts and data.

Single sign on
Our web application supports SAML 2.0.

Multi factor authentication
Our web application supports MFA for customers and all Wellframe users must use MFA.

Password and timeout requirements
Password complexity and user timeout can be customized to meet your specific requirements.

IP inclusion list
Our web application can be limited to only traffic coming from IP addresses you provide.

Data encryption at rest
Storage is encrypted to a strength of AES-256.

This pertains not only to the customer database, but also data backups. In addition, our container-based infrastructure leverages a container-optimized operating system root filesystem. This mounts the underlying file system as read-only and prevents an attacker from owning the system. More information on COS can be found here: https://cloud.google.com/container-optimized-os/docs/concepts/security

Data encryption in transit

All communication channels to our production environment are TLS encrypted to a strength of AES-256.

Care Managers access the system using a current Internet browser over a TLS encrypted communication channel.

Mobile Users access the system using our custom smartphone app, also over TLS encrypted communication channel.

Secure software development

Our software is designed using security and privacy principles in the development process. This helps to ensure that product improvements do not introduce weaknesses to the system.

SDLC
Our development practices include QA and build in privacy and security considerations.

Automated testing
Our SDLC follows best practices and ensures that releases are adequately tested and approved prior to release.

Change management
Change management processes are in place so that only specific staff may promote changes to Production after approvals have been provided. Criteria for approval requires the description and nature of the change, peer review, and rollback plan.

Secure coding practices
Our developers receive secure coding training upon hire and annually thereafter. This training contains best practices on how to securely develop software.

SOC 2
Wellframe’s current SOC 2 report is available to current and prospective customers under a confidentiality agreement.

Penetration testing
Annually, Wellframe engages a third party to conduct penetration testing of its application and environment.

Internal assessments
Wellframe internally assesses its product and practices against compliance needs and that best practices are being followed.

Vendor management

All security programs are only as good as their weakest link, which can often be a third party. Wellframe is no different and we employ a rigorous policy to ensure that vendors meet our standards before doing business with them.

Vendor assessment
All security programs are only as good as their weakest link, which can often be a third party. Wellframe is no different and we employ a rigorous policy to ensure that vendors meet our standards before doing business with them.

Contract standards
Vendors dealing with user data must sign the contractual documents to ensure they are protecting the security and confidentiality of user data.

Personnel and continuity practices

Wellframe’s security program starts with its staff and their ability to respond to a threat quickly and effectively.

Background checks
All employees must undergo background checks that include criminal history.

Training
Employees complete privacy and security awareness training. Wellframe conducts periodic phishing simulation tests to evaluate employee response to an actual phishing attack.

Incident Response
An incident response team is in place to respond to events as they occur. Events are triaged according to the policy as well as tracked and reported. A cross-functional team is assembled annually to test event scenarios. Issues that arise are resolved and incorporated into the post mortem report.

If you have a privacy or security concern, please contact: privacy@wellframe.com

Disaster Recovery and Business Continuity
Wellframe has developed business continuity and disaster recovery policies and procedures to appropriately guide the incident response team through an interrupting event. This policy is tested and updated annually to ensure it is relevant in meeting recovery point and recovery time objectives.

Privacy & Security

Compliance

Application Security

Environmental Security

Network and platform security

Physical security

Application security features

Secure software development

Compliance

Privacy

Assessment

Vendor management

Personnel and continuity practices

Talk to an expert

Don't miss an update

Stay connected

Solutions

About us

Resources

Legal