Built to Support the Highest Level of Security and Compliance
Wellocity ensures the highest level of security for all customer and participant data by storing it in a HIPAA-compliant and HITRUST certified data environment maintained by industry experts.
CyberGRX provides a third-party validated cyber risk assessment of Wellocity’s security posture. This assessment details our compliance with industry standards and the security protocols built into our infrastructure.
CyberGRX provides a third-party validated cyber risk assessment of Wellocity’s security posture. This assessment details our compliance with industry standards and the security protocols built into our infrastructure.
Strong Encryption for Data in Transit and at Rest
Our platform incorporates secure, encryption standards and protocols to guarantee maximum data protection for customers and participants. All platform data is encrypted in transit using TLS 1.2 and at rest using 256-bit AES encryption.
Data Locality
All Customer Data, Participant Data, and Wellocity Data is stored and processed exclusively within the United States.
Access Control
User access to Wellocity systems and applications is configured with role-based access using the least privilege policy
- All Wellocity employees and contractors use unique user accounts and passwords to access all Wellocity systems
- All participants register directly for a program and are assigned a unique user account on the Wellocity platform
- Participants can use their credentials to access the participant app and portal
- Participants are limited to viewing a subset of their own data
- Customer users are privileged at an organization level using one to many roles with configurable permissions
- A customer user’s access to participant PHI data is controlled by explicit permission to each program's participants
- Access to program-specific data requires explicit permission and can be controlled at the user level
Strong User Authentication Mechanisms
- Wellocity follows NIST recommended best practices for passwords for all users
- Accounts are automatically locked after multiple retries
- All Wellocity systems require two-factor authentication for all Wellocity users and customer users
- All users are automatically logged off due to inactivity
- Accounts for dormant users are automatically locked out
- All Wellocity users accounts are disabled or deleted immediately on their termination date
Operational Security
Our commitment to data security has led us to create mandates to keep sensitive data safe and secure which include:
- The use of strong passwords
- Multi-factor authentication on all applicable internal and 3rd party systems
- All end-user computers have an Anti-Virus utility installed
- All company laptops require FileVault encryption
- Encrypt internal company passwords, SSH keys, and secure notes using a password manager and 256-bit encryption
- Staff training, all Wellocity employees are trained annually on HIPAA and best practices
Third Party Service Providers
Wellocity uses third-party service providers that provide us with services for our day-to-day business operations. Wellocity has executed a BAA with all service providers that provide in-scope services that are part of our HIPAA compliant business offerings.