KEEPING YOUR DATA SECURE IS OUR HIGHEST PRIORITY

Our customers and their participants can rest assured that their information is always protected

Slider

KEEPING YOUR DATA SECURE IS OUR HIGHEST PRIORITY

Our customers and their participants can rest assured that their information is always protected

Slider

KEEPING YOUR DATA SECURE IS OUR HIGHEST PRIORITY

Our customers and their participants can rest assured that their information is always protected

Slider

Built to Support the Highest Level of Security and Compliance

Wellocity has partnered with Datica, an industry leader in HIPAA-compliant and HITRUST certified hosting infrastructure, to ensure the highest level of security. Datica's Platform-as-a-Service ("PaaS") ensures all our customer and participant data is stored in a HIPAA-compliant and HITRUST certified data environment maintained by industry experts.

powered by Datica 600x450

Strong Encryption for Data in Transit and at Rest

Our platform incorporates secure, encryption standards and protocols to guarantee maximum data protection for customers and participants. All platform data is encrypted in transit using TLS 1.3 and at rest using 256-bit AES encryption.

Data Locality

All Customer Data, Participant Data, and Wellocity Data is stored and processed exclusively within the United States.

Access Control

User access to Wellocity systems and applications is configured with role-based access using the least privilege policy

  • All Wellocity employees and contractors use unique user accounts and passwords to access all Wellocity systems
  • All participants register directly for a program and are assigned a unique user account on the Wellocity platform
  • Participants can use their credentials to access the participant app and portal
  • Participants are limited to viewing a subset of their own data
  • Customer users are privileged at an organization level using one to many roles with configurable permissions
  • A customer user’s access to participant PHI data is controlled by explicit permission to each program's participants
  • Access to program-specific data requires explicit permission and can be controlled at the user level

Strong User Authentication Mechanisms

  • Wellocity follows NIST recommended best practices for passwords for all users
  • Accounts are automatically locked after multiple retries
  • All Wellocity systems require two-factor authentication for all Wellocity users and customer users
  • All users are automatically logged off due to inactivity
  • Accounts for dormant users are automatically locked out
  • All Wellocity users accounts are disabled or deleted immediately on their termination date

Operational Security

Our commitment to data security has led us to create mandates to keep sensitive data safe and secure which include:

  • The use of strong passwords
  • Multi-factor authentication on all applicable internal and 3rd party systems
  • All end-user computers have an Anti-Virus utility installed
  • All company laptops require FileVault encryption
  • Encrypt internal company passwords, SSH keys, and secure notes using a password manager and 256-bit encryption
  • Staff training, all Wellocity employees are trained annually on HIPAA and best practices

Third Party Service Providers

Wellocity uses third-party service providers that provide us with services for our day-to-day business operations. Wellocity has executed a BAA with all service providers that provide in-scope services that are part of our HIPAA compliant business offerings.

PCI Compliance and Card Holder Data

Cardholder data should only be input by the user in areas that explicitly require it. Wellocity handles cardholder data in accordance with PCI Data Security Standard requirements.

Where cardholder data storage is required (i.e. automatic payments on subscriptions) Wellocity leverages PCI DSS Level 1 Compliant partners who undergo an annual audit of its infrastructure. Our PCI Compliance is certified through ServerScan, an Approved Scanning Vendor (ASV) and a PCI attestation of compliance (AOC) can be provided upon request.