Wellframe Privacy & Security

We keep your personal information private, safe, and secure

As we help patients and their care management teams build sustained, engaged relationships, Wellframe is committed to keeping their information private and protected. We bake privacy and security into the design of our product.

compliance

Compliance

Wellframe is committed to meeting legal obligations when handling user information. Our product is designed to meet the requirements of applicable federal and state laws including HIPAA.

application

Application Security

Our application comes with features to ensure you meet your security needs. We offer single sign on (SSO), strong password requirements, and multi-factor authentication. We are constantly working to enhance our security features to make sure that you have everything you need to securely help your patients.

server

Environmental Security

We understand that privacy, security, and availability are important to our customers. To accomplish this, Wellframe uses Google Cloud Platform (GCP) as its primary cloud service provider. Through GCP, Wellframe is able to provide its product on a secure, resilient, and high performing infrastructure. Ultimately, Wellframe is responsible for our environment within GCP. Through best practices recommended by GCP and through our own configurations, we believe we have built a solution that will meet your privacy and security standards.

  • Firewall
    The Wellframe platform uses firewalls to restrict and control traffic on its networks. Only necessary communication takes place, the rest is blocked.

    Intrusion Detection / Intrusion Prevention (IDS/IPS)
    IDS/IPS is in place to monitor for threatening behavior and reject suspicious traffic.

    Web Application Firewall (WAF)
    Application inspection is in place that examines all traffic (in and out) in the environment. This system prevents common OWASP and CVE vulnerabilities and follows the CERT framework.

    Fault tolerance
    The Wellframe platform uses scalable and fault tolerant container technology, currently hosted with Google Cloud Platform. For more information, please see https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview

    Platform monitoring and alerting
    Wellframe has deployed a suite of tools within our production environment to monitor for unusual activity and alert our team when discovered.

    Secure cloud configuration
    Tools are in place to continually examine our cloud configuration settings to ensure that our infrastructure is correctly and securely configured.

  • Office security
    Office access is controlled by a badge access system with 24/7 video surveillance. Visitors must sign in and be escorted.

    Data center security
    Our environment is hosted in data centers using state-of-the art controls managed by Google. You can find out more by going to here https://cloud.google.com/security/infrastructure/design/#security_of_physical_premises.

  • Single sign on
    Our web application supports SAML 2.0.

    Multi factor authentication
    Our web application supports MFA for customers and all Wellframe users must use MFA.

    Password and timeout requirements
    Password complexity and user timeout can be customized to meet your specific requirements.

    IP inclusion list
    Our web application can be limited to only traffic coming from IP addresses you provide.

    Data encryption at rest
    Storage is encrypted to a strength of AES-256.

    This pertains not only to the customer database, but also data backups. In addition, our container-based infrastructure leverages a container-optimized operating system root filesystem. This mounts the underlying file system as read-only and prevents an attacker from owning the system. More information on COS can be found here: https://cloud.google.com/container-optimized-os/docs/concepts/security

    Data encryption in transit
    All communication channels to our production environment are TLS encrypted to a strength of AES-256.

    Care Managers access the system using a current Internet browser over a TLS encrypted communication channel.

    Mobile Users access the system using our custom smartphone app, also over TLS encrypted communication channel.

  • SDLC
    Our development practices include QA and build in privacy and security considerations.

    Automated testing
    Our SDLC follows best practices and ensures that releases are adequately tested and approved prior to release.

    Change management
    Change management processes are in place so that only specific staff may promote changes to Production after approvals have been provided. Criteria for approval requires the description and nature of the change, peer review, and rollback plan.

    Secure coding practices
    Our developers receive secure coding training upon hire and annually thereafter. This training contains best practices on how to securely develop software.

  • HIPAA
    Wellframe will sign a business associate agreement with customers who are covered entities.

    GDPR
    With built in functionality Wellframe’s application is ready for GDPR compliant deployments.

  • Data privacy
    Wellframe takes its responsibility as a guardian of its users’ data seriously and respects the privacy of its users. The Wellframe privacy policy is available online, and can be reviewed here: https://www.wellframe.com/privacypolicy/.

  • SOC 2
    Wellframe’s current SOC 2 report is available to current and prospective customers under a confidentiality agreement.

    Penetration testing
    Annually, Wellframe engages a third party to conduct penetration testing of its application and environment.

    Internal assessments
    Wellframe internally assesses its product and practices against compliance needs and that best practices are being followed.

  • Vendor assessment
    All security programs are only as good as their weakest link, which can often be a third party. Wellframe is no different and we employ a rigorous policy to ensure that vendors meet our standards before doing business with them.

    Contract standards
    Vendors dealing with user data must sign the contractual documents to ensure they are protecting the security and confidentiality of user data.

  • Background checks
    All employees must undergo background checks that include criminal history.

    Training
    Employees complete privacy and security awareness training. Wellframe conducts periodic phishing simulation tests to evaluate employee response to an actual phishing attack.

    Incident Response
    An incident response team is in place to respond to events as they occur. Events are triaged according to the policy as well as tracked and reported. A cross-functional team is assembled annually to test event scenarios. Issues that arise are resolved and incorporated into the post mortem report.

    If you have a privacy or security concern, please contact: privacy@wellframe.com

    Disaster Recovery and Business Continuity
    Wellframe has developed business continuity and disaster recovery policies and procedures to appropriately guide the incident response team through an interrupting event. This policy is tested and updated annually to ensure it is relevant in meeting recovery point and recovery time objectives.